Overview
overview
10Static
static
3Reaper.zip
windows10-2004-x64
1Reaper/Rea...er.exe
windows10-2004-x64
3Reaper/Rea...ts.dll
windows10-2004-x64
1Reaper/Rea...er.exe
windows10-2004-x64
10Reaper/Rea...config
windows10-2004-x64
3Reaper/Rea...bot.js
windows10-2004-x64
1Reaper/Rea... v2.js
windows10-2004-x64
1Reaper/Rea...y 2.js
windows10-2004-x64
1Reaper/Rea...or.dll
windows10-2004-x64
1General
-
Target
Reaper.zip
-
Size
8.8MB
-
Sample
240310-fbmjwscd28
-
MD5
8a9fd82515a15881c31cb0516dac5d44
-
SHA1
d2919b4e980a7fa383017e6580b36c920e3cae72
-
SHA256
d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c
-
SHA512
6775b8d3c1e218e858f0802255539188a7eb7cc9aa3f295cb94364ecdca21deb9075355305d98cd7d923f1d9f55c765a0998d13e4ebe46cea19f3e1751367d88
-
SSDEEP
196608:38j0qdqkbIWjOSgM24TDSfhBuT+aq3N7J738d9Pvn7QVw9hf:zqdHjRA4TDghAT+a0N7J7sd9nWyx
Static task
static1
Behavioral task
behavioral1
Sample
Reaper.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Reaper/Reaper/Bin/FpsUnlocker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Reaper/Reaper/EasyExploits.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Reaper/Reaper/Reaper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Reaper/Reaper/Reaper.exe.config
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Reaper/Reaper/Scripts/CC Aimbot.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
Reaper/Reaper/Scripts/Dex Explorer v2.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Reaper/Reaper/Scripts/Mad City 2.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Reaper/Reaper/injector.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
l838.ddns.net:3232
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Targets
-
-
Target
Reaper.zip
-
Size
8.8MB
-
MD5
8a9fd82515a15881c31cb0516dac5d44
-
SHA1
d2919b4e980a7fa383017e6580b36c920e3cae72
-
SHA256
d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c
-
SHA512
6775b8d3c1e218e858f0802255539188a7eb7cc9aa3f295cb94364ecdca21deb9075355305d98cd7d923f1d9f55c765a0998d13e4ebe46cea19f3e1751367d88
-
SSDEEP
196608:38j0qdqkbIWjOSgM24TDSfhBuT+aq3N7J738d9Pvn7QVw9hf:zqdHjRA4TDghAT+a0N7J7sd9nWyx
Score1/10 -
-
-
Target
Reaper/Reaper/Bin/FpsUnlocker.exe
-
Size
488KB
-
MD5
52f46ced3b06b19eac3369fbdb4ee2ee
-
SHA1
1bc549fa770b1bf3925248a3853a87af9948381f
-
SHA256
d0685e397486bd9f54eda33133e87e3970dedf5038ef0e4d058de34d796d72ac
-
SHA512
d65a7f73a497e18d0123306c3e940cdd5b22f61ad88fcd9a334c95bab0db665a8e61d11c9c78a656cbfdd7a691e782351fa712aa97c6f38f1d641ae91e3d23af
-
SSDEEP
6144:9nsLTb6hU1R1IDT3nn/b10WyIZUdA8CQ3mAg0y0Noh+p9NWRzbX:6TbgrDT3n/b6qiA8CQqvYogp/6
Score3/10 -
-
-
Target
Reaper/Reaper/EasyExploits.dll
-
Size
10KB
-
MD5
1c5ffe214040f00ec898bd3c5110e8b2
-
SHA1
4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb
-
SHA256
23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec
-
SHA512
682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36
-
SSDEEP
192:3U601DPhhshPYSndK+HiGcIa6Hp0+L2Ae:3T0pJhkP5dK+C76K+L2v
Score1/10 -
-
-
Target
Reaper/Reaper/Reaper.exe
-
Size
8.3MB
-
MD5
79d145e3962e71bf725d15b4c0261dac
-
SHA1
bc9d7a5a347fcefe3b3b81136e83af294bd489f4
-
SHA256
0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d
-
SHA512
2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df
-
SSDEEP
196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg
-
Detect Xworm Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Reaper/Reaper/Reaper.exe.config
-
Size
158B
-
MD5
505c30296417920ece68a4b1e0aae738
-
SHA1
08fed3e09735b7e6df067c53070592338a6770fc
-
SHA256
7ffc94d139bfc1b5cf222cdbdfe0bf53d665f8b6806625dccc6183a626a0433c
-
SHA512
eb095d1ad332869547f948fda262f8d8f71ab7183782e9105ffd75d3e5c81ec4274f79b6c7385db3eb5e8e212aff003a7ccf16712a8e2af52e769f5a310f7f93
Score3/10 -
-
-
Target
Reaper/Reaper/Scripts/CC Aimbot.txt
-
Size
23KB
-
MD5
3ab630b89a082862b82b552185ea4f84
-
SHA1
703658e38cb131e6e53491f437a2e7e80a19ba82
-
SHA256
54cba20aa0213ce83ed348763db0b17a55e4f39fbeae2ef0535ccf76b95bf622
-
SHA512
9c290dd73db4425643f52f5f72c9c4d55666071141f3efd696e4b757b46ebf9fc6bb964ed61f3d9e3ddcbdf4073850041a43b9df6dbf50fcace9382d875fe77b
-
SSDEEP
384:vP89lT07hqwp4EfExaDMluPQhKj8NTtXNKCkqJKcGfOtCZukLQKfb/eo5H+mYxsa:vP8XT07hqwp4EfExaDMluPQhKj8NTtXR
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/Dex Explorer v2.txt
-
Size
632KB
-
MD5
317fec7c823a6ba4ad613220b587a0e8
-
SHA1
3884e8a9a9122e7912c76c919f20c1b9d274f505
-
SHA256
5573cc6f439511c5ec73b0c88af87bce49cac37475aa32da5b75b931f632a3dc
-
SHA512
d5adc2137051ab321197d0a2261ab991f5bf16e0271485c64b66679d863efb58191fe269fc40aa39feefd380b28d33168a6910b7ec40dedd2974e6d1d2db0bad
-
SSDEEP
12288:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOCBkVgfgLcbVgBe28Vk9Gm1OvClEjmD1Szi:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOC0
Score1/10 -
-
-
Target
Reaper/Reaper/Scripts/Mad City 2.txt
-
Size
266KB
-
MD5
1f2e26cfc004bdc2f2de0679c8ff2568
-
SHA1
82f610d4b99fd08b52ffdd7d23b9f036bdcf27ba
-
SHA256
629a0b979031a8b94d19e55cc1974c1361b491b005ca6b2f849265c5812b39f4
-
SHA512
155fd7696881f01e401028f39e123a3023d5f84dab1a41c8b0440587b00aa8d4bab6654414c6e5a49ffae69734cbf2f0dac68cb1106a717e4216c69ef762103b
-
SSDEEP
3072:VS2T6iABa4FZmn//HRR4OhRUU8EdPpES4xFdbIy91oH34O91N8sh/:VVTPzYZmnnoOLUzEdR34xFdbIUoXJisB
Score1/10 -
-
-
Target
Reaper/Reaper/injector.dll
-
Size
19KB
-
MD5
a4db6b21f7398882100909f37c1067a4
-
SHA1
7b2a61d09e4959f4578b556196a8405a2f6e45f3
-
SHA256
d986554d185d3f4e827a1287322210ff6a143ed723d203efbf00a8757aa13714
-
SHA512
42bafe3ef80a748db64dfc88a159a06ee33cecb3f709f01d9c1a9e38d3ab81008f3226963c1c2e926f5e4b6e9442fd2f8a89b0fa5425d04db869cf7be7bddd31
-
SSDEEP
384:5xE24iKOgW7+uPOxQkWWma3NCx7cTuOJ9jIwq6Am:5JVKVxPXWWmgIx7cKOEZFm
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1