Overview
overview
10Static
static
3windows_up...le.ps1
windows7-x64
1windows_up...le.ps1
windows10-2004-x64
10windows_up...le.vbs
windows7-x64
8windows_up...le.vbs
windows10-2004-x64
8fresh.exe
windows7-x64
10fresh.exe
windows10-2004-x64
10windows_up...er.cmd
windows7-x64
1windows_up...er.cmd
windows10-2004-x64
10windows_up...er.ps1
windows7-x64
1windows_up...er.ps1
windows10-2004-x64
10windows_up...rs.ps1
windows7-x64
1windows_up...rs.ps1
windows10-2004-x64
1windows_up...ad.ps1
windows7-x64
1windows_up...ad.ps1
windows10-2004-x64
10windows_up...te.cmd
windows7-x64
1windows_up...te.cmd
windows10-2004-x64
windows_up...te.vbs
windows7-x64
8windows_up...te.vbs
windows10-2004-x64
8windows_up...ad.cmd
windows7-x64
1windows_up...ad.cmd
windows10-2004-x64
10windows_up...ad.vbs
windows7-x64
8windows_up...ad.vbs
windows10-2004-x64
8windows_up...ws.cmd
windows7-x64
1windows_up...ws.cmd
windows10-2004-x64
10windows_up...ws.vbs
windows7-x64
8windows_up...ws.vbs
windows10-2004-x64
8General
-
Target
19042024_1547_windows_update.zip
-
Size
17.1MB
-
Sample
240419-jnprkacc56
-
MD5
c427be2b5a8b0bb8059c713818a67039
-
SHA1
87841c0fdbc05ef31131bc7810466b6fc2290789
-
SHA256
b471f3f22ac4c66fcf7419df31431552ce8f5ac8222b1398e0d1016824e95dcf
-
SHA512
961a2001a7f8698ec8f255c7834f1c85adf92205981eca3b0e5563c2f08414c732e822b0ca28d8ac3e371c58a74dd7fe8122b4645ab0cd56810f45a449b47748
-
SSDEEP
393216:IKnuyR8OELfOxKWo5N5VYpGdWrWEWRrCCBpu9RNkX93nM/DXwx4POCy1etBKeOf3:I6ELfONo5NXT4rW7R+CBpKRNkBnADW4g
Static task
static1
Behavioral task
behavioral1
Sample
windows_update/file.ps1
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
windows_update/file.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
windows_update/file.vbs
Resource
win7-20240319-en
Behavioral task
behavioral4
Sample
windows_update/file.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
fresh.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
fresh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
windows_update/loader.cmd
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
windows_update/loader.cmd
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
windows_update/loader.ps1
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
windows_update/loader.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
windows_update/monitors.ps1
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
windows_update/monitors.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
windows_update/payload.ps1
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
windows_update/payload.ps1
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
windows_update/update.cmd
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
windows_update/update.cmd
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
windows_update/update.vbs
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
windows_update/update.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral19
Sample
windows_update/upload.cmd
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
windows_update/upload.cmd
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
windows_update/upload.vbs
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
windows_update/upload.vbs
Resource
win10v2004-20240412-en
Behavioral task
behavioral23
Sample
windows_update/windows.cmd
Resource
win7-20240319-en
Behavioral task
behavioral24
Sample
windows_update/windows.cmd
Resource
win10v2004-20240412-en
Behavioral task
behavioral25
Sample
windows_update/windows.vbs
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
windows_update/windows.vbs
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
3.1
jdokds.duckdns.org:8895
fR94ukDUyBXXff7e
-
install_file
USB.exe
Extracted
xworm
5.0
vbdsg.duckdns.org:8896
FEi0RCvFfWeSuiKb
-
install_file
USB.exe
Extracted
asyncrat
5.0.5
Venom Clients
kdfsv.duckdns.org:8890
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Default
bagdg.duckdns.org:8887
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
windows_update/file.ps1
-
Size
13.0MB
-
MD5
20788a06a96ae4d92417ace4661d559a
-
SHA1
239d40f67c27ae2e70c698237a3b27401ef5d37a
-
SHA256
8cc2612a8d44d4aebad26bd6ea254ad25f959497391ccfff127a56fad42eb4d5
-
SHA512
c3bcb3bbf117a933738a85590cf98f0fbd7f995c2b5a559850f089111aac87a774c42110da4237f31bd49a9d7ae2751d77eb3f72aac130c81163c13d58383511
-
SSDEEP
49152:QZuX/CRIRerx1exkxTf0i0vcfo/wFlAPp5Bl0jNlD33oi:
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
-
-
Target
windows_update/file.vbs
-
Size
32KB
-
MD5
263f1c42f74c0012000082b4491c5633
-
SHA1
dd5e52905e076f64edf70e4ec6df184023da41e5
-
SHA256
ee55a816496e57c37a7d0451fc0122e10487dc91de31ff1ca6e25e38b898c5ca
-
SHA512
184c6a5522ad67ecd1f4568faa050c721e8559f8c9ef38bbfbd7fd47b472aebd08a09f74064ffd3f2d2a53df985886172817691e97a7a9a2046e02f2ea288265
-
SSDEEP
384:+D2rWxptVYVLrOSZA0fE2qhQpEXeePEm/dvraAwYdtQRqsWigCL53MTx+Y1VcJzS:hroVYV3vXp3AlEYdCL53ugFCaOK7in
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
-
-
Target
fresh.exe
-
Size
345.0MB
-
MD5
33f67337db523a8a1610dc39702e6a9e
-
SHA1
67783aaeb5499cd450094c5f1d20c15a4017e903
-
SHA256
9f0c26a9ee59081531ac9c4d5cca894cf9933e4fdbb6cc9cb9db4a614c79bb91
-
SHA512
da148c37f5631dc94ef545cdccf95f7c8aa59cd5d49666982333082c05ebf9a1cc27c4f64dd117408fe1b49a65a588fdc034ffa8cba187f461cc372c5c8e0602
-
SSDEEP
1536:fJZhM+Qw6/iPxFPP3t/zzdnr8EI5jayp3z3hXdmd30RrSkbiKyhz5u36UU5eX9Mk:++SrvbvyZg6UU529cI1VoheH
-
Detect Xworm Payload
-
Suspicious use of SetThreadContext
-
-
-
Target
windows_update/loader.cmd
-
Size
98KB
-
MD5
4dd85169668cda84ba77526c00d33b94
-
SHA1
c747c69b7b42f5df9955ef55712e6e7a62c51528
-
SHA256
40d1eefe9d8d188d6db6183ead3409bb4f699c93cb70dd63cd905b37952a15c2
-
SHA512
1cb472d78716de4d82bbf20cb94b1d38acedd1cfdcaffa6b2f5d321c6d4ee8b0d01fba6d2cd15c10af13b7f82176c4aea1c97b2dd877205e5a23aa8e247a0919
-
SSDEEP
1536:IdG5FKZA2CbNUCUbqIby+r+4iDdi2qUfYiq3OnXswqBV/zR3QJVGq:s5ZneMDb/2qlZu8zBVlFq
-
Async RAT payload
-
Blocklisted process makes network request
-
-
-
Target
windows_update/loader.ps1
-
Size
13.0MB
-
MD5
918d10fa6fd003a0bea73d2ba50538e0
-
SHA1
a089fbb17927d4a84d25e910b3d0cc7ea12faf1f
-
SHA256
4e842547867c928696600f51943bb9611adb9afc4741358fd5a97f28dcabfcf5
-
SHA512
a442521361cfdfd43f13250cb2b995a6e20713cf5559b504b2e3bc38ef12106a44f9e2eb279be200d73fa74559eeef7fa884d5dd2d85338dba846483290c1638
-
SSDEEP
24576:rWFjASpSiK44861Lh5Z5wt0WxLQ/qA31hC/v18Oa7OPgp6YxuYTj3bfQJ3gFKpLh:SyItZfFNKCIRqiEu54Hvp1jW1o96lj
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
windows_update/monitors.ps1
-
Size
1022B
-
MD5
a2c5ac23463aba29658f4857a9dc3c36
-
SHA1
051fd9d95aaded97058bfc4f6183bfd92a6e66fc
-
SHA256
c1235f0cefde4c3e8ebe26b07159505ca219fcfd7ef2dd75433ebfe424343a2d
-
SHA512
66c09ef0c5dc9ed94c9848a5d056ba63249439320569e86408817bcb677265b51ab10b9a4c0f5ac0d56cc09d4859a492741e230e0ffb50f2553e797c604424c2
Score1/10 -
-
-
Target
windows_update/payload.ps1
-
Size
13.0MB
-
MD5
aea7b9b583a8e559ccf1503c91dcc642
-
SHA1
24106218bdc2a8480ba431931ca8e32a3a86e1b3
-
SHA256
3645de345bd6e490b1a3db479a1b21c80685b0ad6364ba0d10aa1f19b845ac9a
-
SHA512
a133713bac6fa9fef9e26bffc936792adad6205be89ae24a7ee80445d81719a4643cdde970b62117dc02da34b57d6d0feccab2689bcda4f54fdb4e7507dfa9f1
-
SSDEEP
49152:+Xz+bisAu/wGr2wd3q35o+F0MCTW9XZk:
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
-
-
Target
windows_update/update.cmd
-
Size
90KB
-
MD5
1995b8e921de14413fcf1d3294ba2fa8
-
SHA1
cf7b83c9b58645cbc3b5608304d9a2edb27c2c9c
-
SHA256
ed508eb52e48884b93032bd898800e64e0126f888c7da127ca53c3607c56042f
-
SHA512
184f136d9f2d5e20849908ecfdf1e0cb6e13b442324849d6bbe3e8204e581d904092084bd1a1a852723d57153ea7764353c77b23b94ae1d12261baa27026efbe
-
SSDEEP
1536:FNUAiGNMG4ADcXo9zIvLC39cvE5mLToyG4YVMTrSpmXKfmsbvXej0cN7NcOsIcdt:FNUAfNbDc49zb3TALT5nYyTWpmGmsTcy
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Blocklisted process makes network request
-
-
-
Target
windows_update/update.vbs
-
Size
32KB
-
MD5
63a573c0ded47d45d6fec8d6ea4617ae
-
SHA1
3e9f8761ad186ddf6c95cb8e537686c39524a041
-
SHA256
090a419c6597180b477d22883d1f3292e8079760e5931df372829f746c2ed35f
-
SHA512
06734b55932fc353c5db15fa1b6a0b8dbf54df1afc8a97cb85e4ce84422311585dc38168230cb757b5357fcd52bfabfd5f256d06a5a1764b67e91ef06a306cd8
-
SSDEEP
768:NvaEN4C7nPP12SNRlOMldgdmD1N73ugFCaOK7i3:7LRo87e4Cani
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
-
-
Target
windows_update/upload.cmd
-
Size
92KB
-
MD5
eec37f3bab24fc7fe9a522d510d3846b
-
SHA1
5961dd62caf4dc3f48542355638809de85a5458c
-
SHA256
6f38e42f0d28197b443480c15321d5ac16589bb0d539946925fd3345bcef2885
-
SHA512
0af4df57955d12d602b7d98eab7550a99ef0cd570f56d0ea11f8751ed62cc15ab5a871b9c76b2611c6caebce32cd3d1a013700249ed07caeddb965405b67e0a0
-
SSDEEP
1536:xLybdutPYfy3HuyZA6fhiTq9LX9lc+ubMK/RF0w3kNR8bLOp8Ek5X90xzHiuzO:B6dutPYIOyZphEUX9K3bMuBkNw28dLwC
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
-
-
Target
windows_update/upload.vbs
-
Size
32KB
-
MD5
e4534ded9ec68260823a721bcd33651d
-
SHA1
8a063bacf5970f15faf9673e981199c3857a33cb
-
SHA256
b0ad6203ee18e54d5629d75022394f0017a148f153bdd9c9bda1e13607d80da5
-
SHA512
76d2de40c43fd43674d48db4408287ea1e25b54d9fdd088f3a01b4320892517c92121ec6334978db8726134df0f9d66790135f6dbf591d422d977c98835000ec
-
SSDEEP
768:Oa+p6KNlEbk7WxSPQeXutoP7pBk3ugFCaOK7ip:h+6k9hke4Cang
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
-
-
Target
windows_update/windows.cmd
-
Size
109KB
-
MD5
fb0037160a00b86b8418ca6efedbafdb
-
SHA1
50cab1c16ab95af09fab1b3dbc8b0ee9960bce2e
-
SHA256
15378788a250cc88796c95c360aea5f0fabd7ff540b68974c930e9907fde7810
-
SHA512
07362a7b1d665477504cc177f1e208ccb8242a40b3aae6c213527a2baf04ba444584097dad034ffe3fc8eeb176d02125f99f23041840e66ed1fb990b7655e654
-
SSDEEP
3072:JpGKToitW8Jc86cKdN18shPU54CEd3gO8mjxuWrMz:TTVtWWv6c+N18shH+OxfrMz
Score10/10-
Async RAT payload
-
Blocklisted process makes network request
-
-
-
Target
windows_update/windows.vbs
-
Size
32KB
-
MD5
14e7c231587a609351a171621bb7e0c9
-
SHA1
fb88a224c091b4d58c81b4e061e7bed556bd84d2
-
SHA256
5cc2629af63fe5cda370a8a087af9a01027ff4ae22d1410e88d85deae29e89cc
-
SHA512
98c05575996b098e592c39643a0aea996bc39575b1f13ca6c8f8f51f945dc841c1fee4785034f27cf9e957099b83abc162306d5eb30054a4fac5fad18bd4e89f
-
SSDEEP
768:+7+assVao+vDdY+aYtA6sQbbtNmIWMo45L/quDqa3ugFCaOK7iY4SnWnru:+WsGbbtNmIWMo45L/quDqae4CanX4Sn1
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-