Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://necrocracked...

windows10-2004-x64

10

https://necrocracked...

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    https://necrocracked.sell.app/invoice/1530332/deliverable?signature=faf2a849ce78cae616f381cea417cf99a53b4581d99e8931297cac3d7696f947

  • Sample

    240420-r2wq2abd6w

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Public%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/UWpQULMP

Targets

    • Target

      https://necrocracked.sell.app/invoice/1530332/deliverable?signature=faf2a849ce78cae616f381cea417cf99a53b4581d99e8931297cac3d7696f947

    Score
    10/10
    xwormpersistencerattrojanupx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks