General

  • Target

    ModXPack.bat

  • Size

    1.6MB

  • Sample

    240413-y169pshc96

  • MD5

    51d7b8be303abf43851e767d9250887b

  • SHA1

    e795e381647c8a99529f87810347881b6b9bdeba

  • SHA256

    e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d

  • SHA512

    1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26

  • SSDEEP

    24576:0DQy+ebV+tWhxXbJ3p+uOw/MhywlLuXmU+mC2Yvhp9Ehz+AZUTBMrJQfcMw:0NnXt1OIMhB6XmU+mynnuJ8w

Malware Config

Extracted

Family

xworm

Version

3.0

C2

china-earth.gl.at.ply.gg:14568

Mutex

4tKD5kBskz9jyEvO

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

notes-creation.gl.at.ply.gg:27030

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Targets

    • Target

      ModXPack.bat

    • Size

      1.6MB

    • MD5

      51d7b8be303abf43851e767d9250887b

    • SHA1

      e795e381647c8a99529f87810347881b6b9bdeba

    • SHA256

      e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d

    • SHA512

      1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26

    • SSDEEP

      24576:0DQy+ebV+tWhxXbJ3p+uOw/MhywlLuXmU+mC2Yvhp9Ehz+AZUTBMrJQfcMw:0NnXt1OIMhB6XmU+mynnuJ8w

    • Detect Xworm Payload

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

MITRE ATT&CK Enterprise v15

Tasks