Overview

overview

10

Static

static

3

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

CatrinePer...rm.exe

windows7-x64

10

CatrinePer...rm.exe

windows10-2004-x64

10

f_000004.js

windows7-x64

1

f_000004.js

windows10-2004-x64

1

f_00001c.js

windows7-x64

1

f_00001c.js

windows10-2004-x64

1

CatrinePer...9_0.js

windows7-x64

1

CatrinePer...9_0.js

windows10-2004-x64

1

CatrinePer...0_0.js

windows7-x64

1

CatrinePer...0_0.js

windows10-2004-x64

1

CatrinePer...Ex.dll

windows7-x64

1

CatrinePer...Ex.dll

windows10-2004-x64

1

CatrinePer...PC.dll

windows7-x64

1

CatrinePer...PC.dll

windows10-2004-x64

1

CatrinePer...ro.dll

windows7-x64

1

CatrinePer...ro.dll

windows10-2004-x64

1

CatrinePer...re.dll

windows7-x64

1

CatrinePer...re.dll

windows10-2004-x64

1

CatrinePer...ms.dll

windows7-x64

1

CatrinePer...ms.dll

windows10-2004-x64

1

CatrinePer...pf.dll

windows7-x64

1

CatrinePer...pf.dll

windows10-2004-x64

1

CatrinePer...rs.dll

windows7-x64

1

CatrinePer...rs.dll

windows10-2004-x64

1

CatrinePer...on.dll

windows7-x64

1

CatrinePer...on.dll

windows10-2004-x64

1

Revo_Unins...o5.ps1

windows7-x64

1

Revo_Unins...o5.ps1

windows10-2004-x64

1

Revo_Unins...up.exe

windows7-x64

7

Revo_Unins...up.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CatrinePerm.rar

  • Size

    24.5MB

  • Sample

    240207-v3bc9sac22

  • MD5

    e833142567e944de45c2bbbd04ec1c94

  • SHA1

    338ddfae6afc0607b4a468851a8adefc0413ae53

  • SHA256

    ef5945a33a45fb59f4a1bfaecda7cbef60b5db36f86809f6a4330cebbaac6107

  • SHA512

    732b290cb1fc5394e45cca33fbf295460bb52f79268a5da5ecd0203aed2017aa287c2514919a72b20aacfb7bc5e67407c7f0cbcf7df13209cc2a1af7e9ca09cd

  • SSDEEP

    786432:zHrztN3gfmrIT0rXzmpgwfXhf232fSiiARZ:zHr73xrIsMgwPhfJf/i2

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

78.69.106.17:8000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Winrar.exe

Targets

    • Target

      CatrinePerm/CatrinePerm.dll

    • Size

      811KB

    • MD5

      5aabc1aaec4fe6297da47c8d327ddd29

    • SHA1

      ddfb19d827747f4ed4e59d4f2975f7017568e974

    • SHA256

      45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8

    • SHA512

      290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6

    • SSDEEP

      12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      CatrinePerm/CatrinePerm.exe

    • Size

      401KB

    • MD5

      9507155d937399149aa9078a3e87a155

    • SHA1

      fc849d158401ef8c2c70589d7d96d82c061e171e

    • SHA256

      b8966ebd8b18c419d14cc7586009c2ab1bf1a08a438d49058bea5bd076fb8a34

    • SHA512

      f11ac8157a7a3e52f957f6fd444c0fdaad89295890d8474576e1af93ece65e804a019cde8ce4c2c7bb610debc6c252ae604f87419dc32f994574d1171fdca42b

    • SSDEEP

      6144:ADxYwup0zGAc6Y4PWGFrzaN1tM06g51Ejxm7brM0Nfm2Wm5geB5MNXHHHHHHHRHr:AdYr4Gj6OGkpsoM4fm2WmOI5fa/

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      f_000004

    • Size

      2.4MB

    • MD5

      46a47acda7fdd80dd473759e32ce4cdd

    • SHA1

      07228c70d179792e0fa8706bc80c8d93c24048ee

    • SHA256

      2901a0f7ee3a0f9d1beb6ace1e96a14f53562ced4c8e2db18a9ed8219716b99a

    • SHA512

      2baabf0de9b0339c625fcb7de455e068ecc471164be170eb41906ae7c6552e19482034270d616a2518fa281088fc18cc01dc8699e8b09e031d30b43f5ffd12a8

    • SSDEEP

      24576:TT5OK3WfXiExqyHTzmG5o40P2CIQ5kNZFx/IbM22TKFNENt8hvC+G:v5Oq8BqP21Q52ZFVIJ2TKFN4uvCF

    Score
    1/10
    behavioral5behavioral6

    • Target

      f_00001c

    • Size

      2.4MB

    • MD5

      4ee2fb755967abaa5dfa3077533ea641

    • SHA1

      28cb2ab2c5bd0f504d57ef111dcc7ecbb4564cf3

    • SHA256

      b06870081ed26e46b05c8909ac0e9d928249e0547a3ef0985434c54bb47a1ee8

    • SHA512

      e022241069c7e3b9eee8d5047cea51360caf46e7b4647aba44e1167146f0fe8098ada0158087ca51eb484fb7845fbed0b5f113ebf916f96b724932329b6b3c46

    • SSDEEP

      24576:kMoPLfNOhG6ZnykiUYfhsLPyQ/iZSOXAB6JVlDfF7pJYW3+vav1vV:JoPLlrmPyQ6ZHXAoVNF7pJPuiv1d

    Score
    1/10
    behavioral7behavioral8

    • Target

      CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0

    • Size

      52KB

    • MD5

      907a4d3235fc0d5697c35d487c85d26b

    • SHA1

      f36c4d32175f51fc382ddce94652f1b7b4e94f7d

    • SHA256

      5359c3853e7ecbbcda58b3ce89ad48630958041656ecf5d541b9509c60611cd0

    • SHA512

      b15604fcaac678280f8dec044388b666ffc4cb0dba3b7f468c57fcc580bd0bf3782330f21b244ab6a947a3ef7064a2e168b5e355e927598e382a9a6f011b000c

    • SSDEEP

      768:3SyJmvdqGyhyNt5IXRt3s/BjLmnktzu2xYWbWYtiu2/lfJVpYDGFo6zY3nFZZEPY:iyJmvdO4/K2ynHqjH2hJHWd681ZK4P+

    Score
    1/10
    behavioral10behavioral9

    • Target

      CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0

    • Size

      52KB

    • MD5

      eee55503dcb1500eb69b3a3d3a67a936

    • SHA1

      b53c45a32cf4b2ea7b2dbeac3410185744823da0

    • SHA256

      2d3e221b28a0d99397cafd80b84a8e5f660013a5015da37e26ac679d9298d7a6

    • SHA512

      5a3c4f899730ab2fac9543c670f99c8735dab87af3f3f6969e6977bb1f466bb1836d1d8ccaaca6fa920a2e3067a08797ce95f39c6f1ab098cf7f5eb9147a42cf

    • SSDEEP

      1536:YF6J1Jq7DUmEzme6/TJs/9yBpSl0XVBQvf4+CFJf:1J1UEyJ/TJNB3QvAnf

    Score
    1/10
    behavioral11behavioral12

    • Target

      CatrinePerm/ControlzEx.dll

    • Size

      245KB

    • MD5

      6def9baa2552c072cea16b155fed0668

    • SHA1

      93c9c9a7bf892d102f75b7fbadcc997488b4ed34

    • SHA256

      3eceee9042e90da4a433007729778f72516f762599f7920839c751e180a47cb0

    • SHA512

      62ef6519d0aa5979acd11067ff129ebb85bf62df8e66e395423b0cf33e5aa1541f2a028d38f2f6647cc129f6cc8be381b9c4762928fd4d163a1614652f5984ac

    • SSDEEP

      6144:kv/YsKAsoWDJH5u6YAZBEmR8OpY82gb7gP2rxp+7vVNviPF1vdy0+mE:kyVoOJBRTdl2

    Score
    1/10
    behavioral13behavioral14

    • Target

      CatrinePerm/DiscordRPC.dll

    • Size

      82KB

    • MD5

      c6115a08c8e50dac0194fb98d3edc9d2

    • SHA1

      903da7fb7ad47b7ad8eb5984ed54a865f6148744

    • SHA256

      4dd4d48e0681604e3a7a72b6eae42173421d0b806b1af8fa03b45d9999978499

    • SHA512

      3e43f721cf7b1ab28a4ff771b4186c70523eb2bd236063111593453c08dc8a7cf3fffd6a15af72502e8b800a35fbc7a7bd4ebb5b8f5f41796ee62a7a4a96c324

    • SSDEEP

      768:eZGfuhWbsoZkmJPTsERSrxWjOFB8ZZnwUMOpSJAT9wQtc3nIYH+nijpJRMnk56Ha:TWIbP3QxWjOQ5pYlPMkh+mTxtSNy

    Score
    1/10
    behavioral15behavioral16

    • Target

      CatrinePerm/MahApps.Metro.dll

    • Size

      3.4MB

    • MD5

      fe25094bf44c6e3c8d6145bfec1ef2d2

    • SHA1

      50696530bd5f24f30ae90742da6bf7bccbafaac0

    • SHA256

      68768ebd9b04ebe7d9f093414c94a4f550741b7f3cf6ec3089b62c0fa76ee308

    • SHA512

      9632dceb87befcb04af648c1fd70ffb6f2e497de1026cf9422d3ba4a07f03387e75d5bb85dfdb1e1137d1bf5ac2b66ac984e5417e43e1c47d25df992a25b9f21

    • SSDEEP

      24576:xkcYr/qDOGL4/7qDL2P/1Y5e1bq7mTv+iruHt+Q:fUlPM2bq7mTv+iru5

    Score
    1/10
    behavioral17behavioral18

    • Target

      CatrinePerm/Microsoft.Web.WebView2.Core.dll

    • Size

      523KB

    • MD5

      9f9feedb05b87e1be1c7ab710655d0e8

    • SHA1

      2886a398d065e13f667b974180589baff890d2b3

    • SHA256

      5e172b4f558723b7dbb7f568f301077c84d6571436fbe5a5f45bfa621c020403

    • SHA512

      397be2264710120f1f6c419fc7e6a95915eabd0b0586461fadf7335d3b3e0bc35ebca96acf5cb4002a46f6aef90c0238564519c47c7c62c995b1d7469158b287

    • SSDEEP

      12288:qDrB322zh+iKsRFN/eA+imQ269pRFZNIEJdIEY0lxPrEIgcvLcglxMwCepM1SwU1:Zj

    Score
    1/10
    behavioral19behavioral20

    • Target

      CatrinePerm/Microsoft.Web.WebView2.WinForms.dll

    • Size

      39KB

    • MD5

      4caae0e27f1c493ad732e3a49b38b097

    • SHA1

      4319402a47be6c022552612303b6dca6eed4bade

    • SHA256

      32a1e3f4184ce03122c4503b53a7983204fa38e030dcdbbfe64f1b471fd12c42

    • SHA512

      0ff25e58b8e761e0c5b1a419b35547b4de8f02f2fe07e5ac8bc992bde46ac9fcae261bfd31ab90d9a669fa58cc87b798ec0a9de144245f6e39318e6b4c2eb83e

    • SSDEEP

      768:L41nHCqoU2GmbUt5740eObba2yfhZDgcEST3p4Jjrjh2jJTSG2au8vxJKia5/ZiE:L+bxyfhZDgcEST3p4JjrjaJTSG2au4xc

    Score
    1/10
    behavioral21behavioral22

    • Target

      CatrinePerm/Microsoft.Web.WebView2.Wpf.dll

    • Size

      47KB

    • MD5

      60aac68fd5215f9f2f703bf3d61f7100

    • SHA1

      fafde9b5785400a013e84b6bccaa5c352589b16b

    • SHA256

      1eaff15b01117b888678bf552a04b2097f64b11adf01f566e4a8c4eb0f2eeb4d

    • SHA512

      8d86fe304eda0d66b9e7a7257f7f4254a5f8ac72cc5d6760497ce8284650734f224b8097d9b4f6c9b5a7941c278f5e2e9af5a51f6fe48d185376e32a826351d7

    • SSDEEP

      768:0rYDVkqAbSEJL637/mkqlw8fDP/ryEH0tBy4JjrD1h2jBhlUaGzkD7hKKa5/Bi/w:DJAbZk7/qw8fDP/ryEH0tBy4JjrD1aBy

    Score
    1/10
    behavioral23behavioral24

    • Target

      CatrinePerm/Microsoft.Xaml.Behaviors.dll

    • Size

      141KB

    • MD5

      3add5efdb77ac86592db53b1a22d41c4

    • SHA1

      05cce0b4888b8a4a9d0035a00da792ae2f2f52da

    • SHA256

      71e00e2b9ca3088132fc4d54a2076cb07127fe02a5fbc10df8d61cde55dfdbef

    • SHA512

      f766aab25e307c5dcca8ae09925e11fb2183e19b5936984c082eb794bd99256bfb0ae2441cc615cac5b358ba259033e397cd718aa63912ef2c9de2cd558d99aa

    • SSDEEP

      3072:vq1jbJHF+e2mLqVQhe1d9PrZqYTXx5r1j2u:i1nJwxasnTp

    Score
    1/10
    behavioral25behavioral26

    • Target

      CatrinePerm/Newtonsoft.Json.dll

    • Size

      679KB

    • MD5

      916d32b899f1bc23b209648d007b99fd

    • SHA1

      e3673d05d46f29e68241d4536bddf18cdd0a913d

    • SHA256

      72cf291d4bab0edd08a9b07c6173e1e7ad1abb7ab727fd7044bf6305d7515661

    • SHA512

      60bd2693daa42637f8ae6d6460c3013c87f46f28e9b0dbf9d7f6764703b904a7c8c22e30b4ba13f1f23f6cbee7d9640ee3821c48110e67440f237c2bb2ee5eb6

    • SSDEEP

      12288:1eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQk:10/POdGV5jfW5VnhFyvOB7jW5JMty

    Score
    1/10
    behavioral27behavioral28

    • Target

      Revo_Uninstaller_Pro_5.1.1/Crack/revouninstallerpro5.lic

    • Size

      64KB

    • MD5

      8462a9b69c76a9603a4143d51fbc201e

    • SHA1

      4473590f93f94f22c340a354516191c3c0ba6532

    • SHA256

      fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8

    • SHA512

      2f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570

    • SSDEEP

      1536:wg8dvQaFp4zqjLCzkCYlnXMEbnxbiHgsWtXTiKE6AXutI0b:6dvPFHLCzYlnXBUg3TibT+5

    Score
    1/10
    behavioral29behavioral30

    • Target

      Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe

    • Size

      16.8MB

    • MD5

      ab0d159cbe7e1f7f9adea455506f73b1

    • SHA1

      a780054d4721e433387091233fd16c67ecbf3bec

    • SHA256

      21a5b0e1ab9d88eec56dcd1c2ff050742d73e87325922e0840502d211b77b22a

    • SHA512

      a28fb07060a33405a3d26d92c6479f77e4c403092b71471d0516cb4a431d2af55e48740c14622c6353066f53945ae8185aafb15f15b643ac4254dd26dd157ddc

    • SSDEEP

      393216:LwA1pdJwTb+1yXa+v5wfFUSwwV6YWlw9Muo4O9W3XfCX5wRIa4o:MADdJYVNCtUS1VWlwa4O2Xfs5O4o

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

xwormpersistencerattrojan
Score
10/10

behavioral2

xwormpersistencerattrojan
Score
10/10

behavioral3

xwormpersistencerattrojan
Score
10/10

behavioral4

xwormpersistencerattrojan
Score
10/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
7/10

behavioral32

Score
7/10