hermeticwiper

General

Target

f267a71692c3683e3d6d0461e003f54f.exe
Size

2.3MB
Sample

240407-jcc9dsga2z
MD5

f267a71692c3683e3d6d0461e003f54f
SHA1

189450a513d1f2412470eb965468f1324633d252
SHA256

74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
SHA512

b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7
SSDEEP

49152:qjOIzFMNQnXmsIi7MS4bdotKHDG/GGcYsKYX78Y5Ye3:qjvzFMNQnWspj4bdot45GdsKYXl5Yo

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

3.1

C2

gamemodz.duckdns.org:6969

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  f267a71692c3683e3d6d0461e003f54f.exe
- Size
  
  2.3MB
- MD5
  
  f267a71692c3683e3d6d0461e003f54f
- SHA1
  
  189450a513d1f2412470eb965468f1324633d252
- SHA256
  
  74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
- SHA512
  
  b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7
- SSDEEP
  
  49152:qjOIzFMNQnXmsIi7MS4bdotKHDG/GGcYsKYX78Y5Ye3:qjvzFMNQnWspj4bdot45GdsKYXl5Yo
Score

10^/10

hermeticwiper xworm zgrat bootkit persistence rat spyware stealer trojan upx wiper
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect HermeticWiper
  Detect HermeticWiper Payload.
  wiper
- Detect Xworm Payload
- Detect ZGRat V1
- HermeticWiper
  HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.
  wiper hermeticwiper
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Drops file in Drivers directory
- Manipulates Digital Signatures
  Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2