Overview

overview

10

Static

static

1

$RECYCLE.B...EG.vbs

windows10-2004-x64

1

$RECYCLE.B...EG.vbs

windows10-2004-x64

10

INV-ER001.vbs

windows10-2004-x64

7

INV-ER002.vbs

windows10-2004-x64

10

System Vol...gs.dat

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malicious.vhd

  • Size

    6.0MB

  • Sample

    240131-fwkk2adhbk

  • MD5

    7491027592069e5397c34f7640ac095c

  • SHA1

    da667e060b38d380632a640e9fa4f81e9e0157f3

  • SHA256

    50b9fff16f73b30b772d443e019f88fd2402a0beaa5377ec2ee9f2a86c6c0fc0

  • SHA512

    771cb78f15ef9eb9eb9dcc7f6cd215f40e0331fa1749816e7e44105e7bb1bd033dcb3a37fa11da68ad084f46e118689ee462ad4d669c44f365bcb7d245a754eb

  • SSDEEP

    3072:8vDRvBT3Out63w5o6wLtIbemJcNPKR6xnFr4ceN3:8vDRZT9tlNSKShw

Score
10/10
asyncratguloaderxwormvenom clientsdownloaderpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

moneyinthemaking33.duckdns.org:8895

Mutex

vZvRiI9PDVfoRdoR

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

markvenm2.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      $RECYCLE.BIN/$I9E90EG.vbs

    • Size

      66B

    • MD5

      7e0d2e0cefae2fc74cd23a243519c830

    • SHA1

      aa7264ae3f0a921d7abc73fdcb73006eb2d43e70

    • SHA256

      5cc44f56d08673cd0bd6d8f14c30037467371a842b9357b1c07831109629805a

    • SHA512

      bfbea668f730b6981509ac7005a92b4e0255abbaeaed19338a4a149271ffed73cd6313742a6ecd5fa1963f211615614ffe0cefef1ef22b42efa1b5f4b431e5c4

    Score
    1/10
    behavioral1

    • Target

      $RECYCLE.BIN/$R9E90EG.vbs

    • Size

      46KB

    • MD5

      100ebb22e2cc8fe99d14a5fada80c76c

    • SHA1

      2b5f93cf92d8e054ad750b426811a03bca102b69

    • SHA256

      ddc773175de54d23e42a27b287efbb83df994dfb56984b9c658d46e9c3217f1b

    • SHA512

      24e0830f6ff0069a5e86b8889744a8e9193f441ccf342e10c66108936423a95a07fbbaf535797f07c78fc1be8b41346cc2f6300f5ad56ec0b48a1f2bf264f242

    • SSDEEP

      768:pONutlmJQ4XHeRvBTRyjEU5GAJsIWEb2fKYRqp3wCocE7jMYBKvlGtsJe5x3EKWI:CuthDRvBTIjByIHutCqjMYYvY5ofS

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral2

    • Target

      INV-ER001.vbs

    • Size

      39KB

    • MD5

      d7d8d300388defcdec4a1aa3cbd6e77d

    • SHA1

      5910727b8e8ca3797958ec85721fc87feec28b7b

    • SHA256

      b39988c2c5ced16ec41dead404b39ebf3c3883f0b2377ada2fa23bb4fa4ef6ba

    • SHA512

      8bc6d078b5a4b6ed7c782ea3b352e768030f0b9144206c82078ef188f07a9ab92bc6daab12ba3d82ee7391e6e4a7a8227cc27c3e8dbcb2c46bbaef420e6de1e5

    • SSDEEP

      768:9BjibXdU/GQo4v84N4rjFkeNSAme0MacUadFu9FH6QNIIKHT:/EOe4E4KnF2e4ceFaQNIIKz

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral3

    • Target

      INV-ER002.vbs

    • Size

      39KB

    • MD5

      2238d24d82cad992c8760cdeea5829bf

    • SHA1

      e7d1cf1f6832545b9c1332dccaa306c8e052741e

    • SHA256

      d18f284aca26c0d0e2797ed99d9561c5bce04d3618866f5491143198c1f041df

    • SHA512

      1aa269737f853a7460326092a5cdc914b8da23ec8f4ea777bc49703bc1b80ea2ed0906bfa75aedf05a69fc184e1b3332cf282e296e922617ab5007d88c8d9c41

    • SSDEEP

      768:4EOirRdePOJBftG0BHREykgSnFBib2s1oJcI4YZncQNvypRlfA:vOwRda+80BxERbF3smJcwNqRlfA

    Score
    10/10
    asyncratguloadervenom clientsdownloaderpersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      System Volume Information/WPSettings.dat

    • Size

      12B

    • MD5

      c4cbabea753314b8211c532b3a66dc36

    • SHA1

      d87e856dfb0661af451097583f06d2c8083b176a

    • SHA256

      4b27bf5ea37a69798d79854934ae5b7905cfed33da36d2bb9c686a8f11ece336

    • SHA512

      dbf6442675282a5f50689a96b4af686c813333db9a921da2c29e2cd3503dc49e7365d7a0df6ccb4355abe7c3452b93a407bd60cae67b66df71dc2d6e243e1779

    Score
    3/10
    behavioral5

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

8
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks