Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

https://cdn.discorda...

windows11-21h2-x64

10

Resubmissions

11/03/2024, 08:19

240311-j73grsff2v 10

10/03/2024, 03:32

240310-d3547sbc69 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    https://cdn.discordapp.com/attachments/1174482745112670279/1213014640985116682/Reaper.zip?ex=65fd296b&is=65eab46b&hm=aed17131838713d9738305a7214c56be0589406be25589bb97a648f6c0c05f8d&

  • Sample

    240311-j73grsff2v

Score
10/10
xwormpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

l838.ddns.net:3232

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      https://cdn.discordapp.com/attachments/1174482745112670279/1213014640985116682/Reaper.zip?ex=65fd296b&is=65eab46b&hm=aed17131838713d9738305a7214c56be0589406be25589bb97a648f6c0c05f8d&

    Score
    10/10
    xwormratspywarestealertrojanupxpersistence

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in Drivers directory

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks