Overview

overview

10

Static

static

3

VapeClient.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VapeClient.exe

  • Size

    7.3MB

  • Sample

    240219-tkkzbaga82

  • MD5

    ab8751ae85af848f6282d3803b423427

  • SHA1

    6af1cd73c7e0ae0849b40d257294c15a9ee421e2

  • SHA256

    0007b8f09a104375fd414cd3990dfe3617a4246eb7ac9f56bf16436a2436edc3

  • SHA512

    6f4419ec258e8a5ae0e2addfd6adcec816e0f873490a076204152218cd21da728733c9ee31ed5cf54a1023cdcf91d017dfca6c71824579964c5ad67bf0424132

  • SSDEEP

    196608:o+vgfou16kyhYKGyIcjXOm5FXnRS4UaOpDjJ7m:o+vgwuYkyhiyIcr/5FXnY3hFm

Score
10/10
xwormevasionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/4dSAsSm4

Targets

    • Target

      VapeClient.exe

    • Size

      7.3MB

    • MD5

      ab8751ae85af848f6282d3803b423427

    • SHA1

      6af1cd73c7e0ae0849b40d257294c15a9ee421e2

    • SHA256

      0007b8f09a104375fd414cd3990dfe3617a4246eb7ac9f56bf16436a2436edc3

    • SHA512

      6f4419ec258e8a5ae0e2addfd6adcec816e0f873490a076204152218cd21da728733c9ee31ed5cf54a1023cdcf91d017dfca6c71824579964c5ad67bf0424132

    • SSDEEP

      196608:o+vgfou16kyhYKGyIcjXOm5FXnRS4UaOpDjJ7m:o+vgwuYkyhiyIcr/5FXnY3hFm

    Score
    10/10
    xwormevasionpersistencerattrojanupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks