Overview

overview

10

Static

static

10

d0685487fa...60.exe

windows7-x64

10

d0685487fa...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0685487fa7e474e68a40a1b1ff49b60.exe

  • Size

    167KB

  • Sample

    240417-np1bxadd73

  • MD5

    d0685487fa7e474e68a40a1b1ff49b60

  • SHA1

    069285708e07814d852bbd5f39a7ffbb3c9e2d94

  • SHA256

    87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6

  • SHA512

    eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8

  • SSDEEP

    1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4

Score
10/10
asyncratstormkittyxenoratxwormdefaultpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

dentiste.ddns.net:7000

86.68.222.14:7000

51.254.53.24:7000

dentiste.ddns.net:7010
Attributes
  • Install_directory

    %AppData%

  • install_file

    Mise à jour carte CPS.exe

  • telegram

    https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hoyqzolrquxmbnzaee

Attributes
  • delay

    1

  • install

    true

  • install_file

    system.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/ckrnc4Uk

aes.plain

Extracted

Family

xenorat

C2

dentiste.ddns.net

Mutex

Xeno_syteme_update

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    7011

  • startup_name

    System

Targets

    • Target

      d0685487fa7e474e68a40a1b1ff49b60.exe

    • Size

      167KB

    • MD5

      d0685487fa7e474e68a40a1b1ff49b60

    • SHA1

      069285708e07814d852bbd5f39a7ffbb3c9e2d94

    • SHA256

      87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6

    • SHA512

      eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8

    • SSDEEP

      1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4

    Score
    10/10
    asyncratstormkittyxenoratxwormdefaultpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks