Malware Analysis Report

2024-11-30 19:10

Sample ID 240313-q5g7daga62
Target The-Desert-Rat.zip
SHA256 2692c9908f851e2ab4a6e9272e821b20d4cecf1e6a7fddd6fcdc01e6df95ce5e
Tags
agilenet xworm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2692c9908f851e2ab4a6e9272e821b20d4cecf1e6a7fddd6fcdc01e6df95ce5e

Threat Level: Known bad

The file The-Desert-Rat.zip was found to be: Known bad.

Malicious Activity Summary

agilenet xworm

Detect Xworm Payload

Xworm family

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-13 13:52

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 13:50

Reported

2024-03-13 13:59

Platform

win11-20240221-en

Max time kernel

208s

Max time network

305s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-Desert-Rat.zip

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\The-Desert-Rat\The-Desert-Rat\Desert-Rat.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\The-Desert-Rat\The-Desert-Rat\Desert-Rat.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-Desert-Rat.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\The-Desert-Rat\The-Desert-Rat\Desert-Rat.exe

"C:\Users\Admin\Documents\The-Desert-Rat\The-Desert-Rat\Desert-Rat.exe"

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2028-0-0x00007FFF98610000-0x00007FFF990D2000-memory.dmp

memory/2028-1-0x00000166F10B0000-0x00000166F482C000-memory.dmp

memory/2028-2-0x0000016698000000-0x000001669BE28000-memory.dmp

memory/2028-3-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-4-0x00000166F4C60000-0x00000166F4C6C000-memory.dmp

memory/2028-5-0x00000166F6460000-0x00000166F647C000-memory.dmp

memory/2028-6-0x00000166F64C0000-0x00000166F64EC000-memory.dmp

memory/2028-7-0x00000166F6D10000-0x00000166F6D4C000-memory.dmp

memory/2028-8-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-9-0x00000166F66B0000-0x00000166F6856000-memory.dmp

memory/2028-10-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-11-0x00007FFF98610000-0x00007FFF990D2000-memory.dmp

memory/2028-12-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-13-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-14-0x00000166F64B0000-0x00000166F64C0000-memory.dmp

memory/2028-15-0x00000166F64B0000-0x00000166F64C0000-memory.dmp