Overview
overview
10Static
static
3Reaper.zip
windows7-x64
1Reaper.zip
windows10-2004-x64
1Reaper/Rea...er.exe
windows7-x64
1Reaper/Rea...er.exe
windows10-2004-x64
3Reaper/Rea...ts.dll
windows7-x64
1Reaper/Rea...ts.dll
windows10-2004-x64
1Reaper/Rea...er.exe
windows7-x64
10Reaper/Rea...er.exe
windows10-2004-x64
10Reaper/Rea...3.0.js
windows7-x64
1Reaper/Rea...3.0.js
windows10-2004-x64
1Reaper/Rea...bot.js
windows7-x64
1Reaper/Rea...bot.js
windows10-2004-x64
1Reaper/Rea...bot.js
windows7-x64
1Reaper/Rea...bot.js
windows10-2004-x64
1Reaper/Rea... v2.js
windows7-x64
1Reaper/Rea... v2.js
windows10-2004-x64
1Reaper/Rea...y 2.js
windows7-x64
1Reaper/Rea...y 2.js
windows10-2004-x64
1Reaper/Rea... V3.js
windows7-x64
1Reaper/Rea... V3.js
windows10-2004-x64
1Reaper/Rea...or.dll
windows7-x64
1Reaper/Rea...or.dll
windows10-2004-x64
1General
-
Target
Reaper.zip
-
Size
8.8MB
-
Sample
240310-fan2bscc93
-
MD5
8a9fd82515a15881c31cb0516dac5d44
-
SHA1
d2919b4e980a7fa383017e6580b36c920e3cae72
-
SHA256
d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c
-
SHA512
6775b8d3c1e218e858f0802255539188a7eb7cc9aa3f295cb94364ecdca21deb9075355305d98cd7d923f1d9f55c765a0998d13e4ebe46cea19f3e1751367d88
-
SSDEEP
196608:38j0qdqkbIWjOSgM24TDSfhBuT+aq3N7J738d9Pvn7QVw9hf:zqdHjRA4TDghAT+a0N7J7sd9nWyx
Static task
static1
Behavioral task
behavioral1
Sample
Reaper.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Reaper.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Reaper/Reaper/Bin/FpsUnlocker.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Reaper/Reaper/Bin/FpsUnlocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Reaper/Reaper/EasyExploits.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Reaper/Reaper/EasyExploits.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Reaper/Reaper/Reaper.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Reaper/Reaper/Reaper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Reaper/Reaper/Scripts/Aimbot 3.0.js
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Reaper/Reaper/Scripts/Aimbot 3.0.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
Reaper/Reaper/Scripts/Aimbot.js
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
Reaper/Reaper/Scripts/Aimbot.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
Reaper/Reaper/Scripts/CC Aimbot.js
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
Reaper/Reaper/Scripts/CC Aimbot.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Reaper/Reaper/Scripts/Dex Explorer v2.js
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
Reaper/Reaper/Scripts/Dex Explorer v2.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
Reaper/Reaper/Scripts/Mad City 2.js
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
Reaper/Reaper/Scripts/Mad City 2.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Reaper/Reaper/Scripts/TopKek V3.js
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
Reaper/Reaper/Scripts/TopKek V3.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Reaper/Reaper/injector.dll
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Reaper/Reaper/injector.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
l838.ddns.net:3232
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
Reaper.zip
-
Size
8.8MB
-
MD5
8a9fd82515a15881c31cb0516dac5d44
-
SHA1
d2919b4e980a7fa383017e6580b36c920e3cae72
-
SHA256
d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c
-
SHA512
6775b8d3c1e218e858f0802255539188a7eb7cc9aa3f295cb94364ecdca21deb9075355305d98cd7d923f1d9f55c765a0998d13e4ebe46cea19f3e1751367d88
-
SSDEEP
196608:38j0qdqkbIWjOSgM24TDSfhBuT+aq3N7J738d9Pvn7QVw9hf:zqdHjRA4TDghAT+a0N7J7sd9nWyx
Score1/10 -
-
-
Target
Reaper/Reaper/Bin/FpsUnlocker.exe
-
Size
488KB
-
MD5
52f46ced3b06b19eac3369fbdb4ee2ee
-
SHA1
1bc549fa770b1bf3925248a3853a87af9948381f
-
SHA256
d0685e397486bd9f54eda33133e87e3970dedf5038ef0e4d058de34d796d72ac
-
SHA512
d65a7f73a497e18d0123306c3e940cdd5b22f61ad88fcd9a334c95bab0db665a8e61d11c9c78a656cbfdd7a691e782351fa712aa97c6f38f1d641ae91e3d23af
-
SSDEEP
6144:9nsLTb6hU1R1IDT3nn/b10WyIZUdA8CQ3mAg0y0Noh+p9NWRzbX:6TbgrDT3n/b6qiA8CQqvYogp/6
Score3/10 -
-
-
Target
Reaper/Reaper/EasyExploits.dll
-
Size
10KB
-
MD5
1c5ffe214040f00ec898bd3c5110e8b2
-
SHA1
4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb
-
SHA256
23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec
-
SHA512
682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36
-
SSDEEP
192:3U601DPhhshPYSndK+HiGcIa6Hp0+L2Ae:3T0pJhkP5dK+C76K+L2v
Score1/10 -
-
-
Target
Reaper/Reaper/Reaper.exe
-
Size
8.3MB
-
MD5
79d145e3962e71bf725d15b4c0261dac
-
SHA1
bc9d7a5a347fcefe3b3b81136e83af294bd489f4
-
SHA256
0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
-
SHA512
2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
-
SSDEEP
196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg
-
Detect Xworm Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Reaper/Reaper/Scripts/Aimbot 3.0.txt
-
Size
98KB
-
MD5
a026af0c23f83d6ec3ee17a4453c7dcf
-
SHA1
e707b0ebf1eac194e90c70767ee29a1c37e1a4a2
-
SHA256
81fe4c1f8cbcf06e43a347fd8c39ceef960995031ae71db385c28636dfce3ec8
-
SHA512
9817501504aa1b4777f8d0b10c9776d224e0aa38e9ca91a6c80d472d5b5ceafac2e507c335a2bd9959073d74912825e1361bae699404b8c3bcdd9306b85c1b79
-
SSDEEP
1536:3N+t5Lq6w48qJ4UJe6wyG9EeG251GX/J3GC1Zqn+MVpx2RnB:kt5L0UJe6wyG9EeG251GX/J3GC1ciVB
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/Aimbot.txt
-
Size
30KB
-
MD5
3ea5f844c18f550a3db09193c56594e8
-
SHA1
389968ae4228908180ba68ecfab2ddfabeb0966b
-
SHA256
d33d3205288b776d977ad0047647bc8d40b83bc7d4f190f86f1011c8b417e983
-
SHA512
8af81e52e74950a1961ad004400140386b0ad3d49d64e9617ad12d4550a4b1699eddf8e79849a32cdbdad034f25ee535430de9bef0513758e48b29a54d52b440
-
SSDEEP
768:DW6T+ELiUI29j8vVwP8UkSVDYtDkYNighmLlmyEDKtpWpJ7xwrs5SwG1NBbp0Bwh:iYTEK0y
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/CC Aimbot.txt
-
Size
23KB
-
MD5
3ab630b89a082862b82b552185ea4f84
-
SHA1
703658e38cb131e6e53491f437a2e7e80a19ba82
-
SHA256
54cba20aa0213ce83ed348763db0b17a55e4f39fbeae2ef0535ccf76b95bf622
-
SHA512
9c290dd73db4425643f52f5f72c9c4d55666071141f3efd696e4b757b46ebf9fc6bb964ed61f3d9e3ddcbdf4073850041a43b9df6dbf50fcace9382d875fe77b
-
SSDEEP
384:vP89lT07hqwp4EfExaDMluPQhKj8NTtXNKCkqJKcGfOtCZukLQKfb/eo5H+mYxsa:vP8XT07hqwp4EfExaDMluPQhKj8NTtXR
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/Dex Explorer v2.txt
-
Size
632KB
-
MD5
317fec7c823a6ba4ad613220b587a0e8
-
SHA1
3884e8a9a9122e7912c76c919f20c1b9d274f505
-
SHA256
5573cc6f439511c5ec73b0c88af87bce49cac37475aa32da5b75b931f632a3dc
-
SHA512
d5adc2137051ab321197d0a2261ab991f5bf16e0271485c64b66679d863efb58191fe269fc40aa39feefd380b28d33168a6910b7ec40dedd2974e6d1d2db0bad
-
SSDEEP
12288:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOCBkVgfgLcbVgBe28Vk9Gm1OvClEjmD1Szi:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOC0
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/Mad City 2.txt
-
Size
266KB
-
MD5
1f2e26cfc004bdc2f2de0679c8ff2568
-
SHA1
82f610d4b99fd08b52ffdd7d23b9f036bdcf27ba
-
SHA256
629a0b979031a8b94d19e55cc1974c1361b491b005ca6b2f849265c5812b39f4
-
SHA512
155fd7696881f01e401028f39e123a3023d5f84dab1a41c8b0440587b00aa8d4bab6654414c6e5a49ffae69734cbf2f0dac68cb1106a717e4216c69ef762103b
-
SSDEEP
3072:VS2T6iABa4FZmn//HRR4OhRUU8EdPpES4xFdbIy91oH34O91N8sh/:VVTPzYZmnnoOLUzEdR34xFdbIUoXJisB
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/TopKek V3.txt
-
Size
81KB
-
MD5
9e488b83078daf39e6f15f90c8d689cf
-
SHA1
8602a9d4ecb5c4ea52f096e60b72607731c62277
-
SHA256
c40fe38b134a8484794b773a363377ec8b37ed8bb5b5c88e182f4f7acc60b4c8
-
SHA512
a86b60e792572ecc512ffad6eab8c271da206fe108d03c9c0156b5eea7a889c61943e88480a14f51ca787c79d084bc099cd3b01e7b5569e6149b3b079a45839a
-
SSDEEP
768:l9dGinWaivTGFMoN6x94g+SnITXinAUJj0WFtdefC3ELZ7KhJDr0RzKokMy23ckW:Y3sr7b8W2PSh0gpNtiVtB
Score1/10 -
-
-
Target
Reaper/Reaper/injector.dll
-
Size
19KB
-
MD5
a4db6b21f7398882100909f37c1067a4
-
SHA1
7b2a61d09e4959f4578b556196a8405a2f6e45f3
-
SHA256
d986554d185d3f4e827a1287322210ff6a143ed723d203efbf00a8757aa13714
-
SHA512
42bafe3ef80a748db64dfc88a159a06ee33cecb3f709f01d9c1a9e38d3ab81008f3226963c1c2e926f5e4b6e9442fd2f8a89b0fa5425d04db869cf7be7bddd31
-
SSDEEP
384:5xE24iKOgW7+uPOxQkWWma3NCx7cTuOJ9jIwq6Am:5JVKVxPXWWmgIx7cKOEZFm
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1