Overview

overview

10

Static

static

3

Reaper/Rea...er.exe

windows7-x64

1

Reaper/Rea...er.exe

windows10-2004-x64

3

Reaper/Rea...ts.dll

windows7-x64

1

Reaper/Rea...ts.dll

windows10-2004-x64

1

Reaper/Rea...er.exe

windows7-x64

10

Reaper/Rea...er.exe

windows10-2004-x64

10

Reaper/Rea...3.0.js

windows7-x64

1

Reaper/Rea...3.0.js

windows10-2004-x64

1

Reaper/Rea...bot.js

windows7-x64

1

Reaper/Rea...bot.js

windows10-2004-x64

1

Reaper/Rea...bot.js

windows7-x64

1

Reaper/Rea...bot.js

windows10-2004-x64

1

Reaper/Rea... v2.js

windows7-x64

1

Reaper/Rea... v2.js

windows10-2004-x64

1

Reaper/Rea...y 2.js

windows7-x64

1

Reaper/Rea...y 2.js

windows10-2004-x64

1

Reaper/Rea... V3.js

windows7-x64

1

Reaper/Rea... V3.js

windows10-2004-x64

1

Reaper/Rea...or.dll

windows7-x64

1

Reaper/Rea...or.dll

windows10-2004-x64

1

Resubmissions

20-04-2024 17:13

240420-vrrwwadh2z 10

12-03-2024 21:36

240312-1f3f5adc57 10

10-03-2024 04:41

240310-fbmjwscd28 10

10-03-2024 04:40

240310-fan2bscc93 10

10-03-2024 04:38

240310-e9wd1scc82 10

09-03-2024 07:38

240309-jghpnsdh88 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Reaper.zip

  • Size

    8.8MB

  • Sample

    240420-vrrwwadh2z

  • MD5

    8a9fd82515a15881c31cb0516dac5d44

  • SHA1

    d2919b4e980a7fa383017e6580b36c920e3cae72

  • SHA256

    d80f9618ef8369e54986f2abf564e5eeccf961d3ddaca515622412b1e4648d4c

  • SHA512

    6775b8d3c1e218e858f0802255539188a7eb7cc9aa3f295cb94364ecdca21deb9075355305d98cd7d923f1d9f55c765a0998d13e4ebe46cea19f3e1751367d88

  • SSDEEP

    196608:38j0qdqkbIWjOSgM24TDSfhBuT+aq3N7J738d9Pvn7QVw9hf:zqdHjRA4TDghAT+a0N7J7sd9nWyx

Score
10/10
xwormpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

l838.ddns.net:3232

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      Reaper/Reaper/Bin/FpsUnlocker.exe

    • Size

      488KB

    • MD5

      52f46ced3b06b19eac3369fbdb4ee2ee

    • SHA1

      1bc549fa770b1bf3925248a3853a87af9948381f

    • SHA256

      d0685e397486bd9f54eda33133e87e3970dedf5038ef0e4d058de34d796d72ac

    • SHA512

      d65a7f73a497e18d0123306c3e940cdd5b22f61ad88fcd9a334c95bab0db665a8e61d11c9c78a656cbfdd7a691e782351fa712aa97c6f38f1d641ae91e3d23af

    • SSDEEP

      6144:9nsLTb6hU1R1IDT3nn/b10WyIZUdA8CQ3mAg0y0Noh+p9NWRzbX:6TbgrDT3n/b6qiA8CQqvYogp/6

    Score
    3/10
    behavioral1behavioral2

    • Target

      Reaper/Reaper/EasyExploits.dll

    • Size

      10KB

    • MD5

      1c5ffe214040f00ec898bd3c5110e8b2

    • SHA1

      4abfbf2bcbcb742b4c4bbb11d21cafeeb93cf8bb

    • SHA256

      23312041ffa8628a7f89a21ba72af853cb90f26cf134d456656276930b26c1ec

    • SHA512

      682e5c06b1d26bee3f8d5cab9ff9c70908906c20b28ad7e022c37ce3b62b9af5cb1bf39734f387353566b45f5cf9f7c879c3d0a32c894168e6fe64ce7b80bd36

    • SSDEEP

      192:3U601DPhhshPYSndK+HiGcIa6Hp0+L2Ae:3T0pJhkP5dK+C76K+L2v

    Score
    1/10
    behavioral3behavioral4

    • Target

      Reaper/Reaper/Reaper.exe

    • Size

      8.3MB

    • MD5

      79d145e3962e71bf725d15b4c0261dac

    • SHA1

      bc9d7a5a347fcefe3b3b81136e83af294bd489f4

    • SHA256

      0ca306be254d1b3aff02ae559e5649e9f0bb10367f692e132d7da39e6860448d

    • SHA512

      2fc3cd1b4542de7313ffea8fc16132df9c305c9ca847d4754e3a645c274933b4dd9682b4dd2585c62e5b8b2307e296fb64e32b758222123bb5c901a95ba0b6df

    • SSDEEP

      196608:wfojS3EHCg1OgwII+XN6h5BOpEAyRHtt7fEiLrArrIx2j1:wojS3E1zg+XN05UpEAcHtt7MiorGg

    Score
    10/10
    xwormpersistencerattrojanupxspywarestealer

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      Reaper/Reaper/Scripts/Aimbot 3.0.txt

    • Size

      98KB

    • MD5

      a026af0c23f83d6ec3ee17a4453c7dcf

    • SHA1

      e707b0ebf1eac194e90c70767ee29a1c37e1a4a2

    • SHA256

      81fe4c1f8cbcf06e43a347fd8c39ceef960995031ae71db385c28636dfce3ec8

    • SHA512

      9817501504aa1b4777f8d0b10c9776d224e0aa38e9ca91a6c80d472d5b5ceafac2e507c335a2bd9959073d74912825e1361bae699404b8c3bcdd9306b85c1b79

    • SSDEEP

      1536:3N+t5Lq6w48qJ4UJe6wyG9EeG251GX/J3GC1Zqn+MVpx2RnB:kt5L0UJe6wyG9EeG251GX/J3GC1ciVB

    Score
    1/10
    behavioral7behavioral8

    • Target

      Reaper/Reaper/Scripts/Aimbot.txt

    • Size

      30KB

    • MD5

      3ea5f844c18f550a3db09193c56594e8

    • SHA1

      389968ae4228908180ba68ecfab2ddfabeb0966b

    • SHA256

      d33d3205288b776d977ad0047647bc8d40b83bc7d4f190f86f1011c8b417e983

    • SHA512

      8af81e52e74950a1961ad004400140386b0ad3d49d64e9617ad12d4550a4b1699eddf8e79849a32cdbdad034f25ee535430de9bef0513758e48b29a54d52b440

    • SSDEEP

      768:DW6T+ELiUI29j8vVwP8UkSVDYtDkYNighmLlmyEDKtpWpJ7xwrs5SwG1NBbp0Bwh:iYTEK0y

    Score
    1/10
    behavioral10behavioral9

    • Target

      Reaper/Reaper/Scripts/CC Aimbot.txt

    • Size

      23KB

    • MD5

      3ab630b89a082862b82b552185ea4f84

    • SHA1

      703658e38cb131e6e53491f437a2e7e80a19ba82

    • SHA256

      54cba20aa0213ce83ed348763db0b17a55e4f39fbeae2ef0535ccf76b95bf622

    • SHA512

      9c290dd73db4425643f52f5f72c9c4d55666071141f3efd696e4b757b46ebf9fc6bb964ed61f3d9e3ddcbdf4073850041a43b9df6dbf50fcace9382d875fe77b

    • SSDEEP

      384:vP89lT07hqwp4EfExaDMluPQhKj8NTtXNKCkqJKcGfOtCZukLQKfb/eo5H+mYxsa:vP8XT07hqwp4EfExaDMluPQhKj8NTtXR

    Score
    1/10
    behavioral11behavioral12

    • Target

      Reaper/Reaper/Scripts/Dex Explorer v2.txt

    • Size

      632KB

    • MD5

      317fec7c823a6ba4ad613220b587a0e8

    • SHA1

      3884e8a9a9122e7912c76c919f20c1b9d274f505

    • SHA256

      5573cc6f439511c5ec73b0c88af87bce49cac37475aa32da5b75b931f632a3dc

    • SHA512

      d5adc2137051ab321197d0a2261ab991f5bf16e0271485c64b66679d863efb58191fe269fc40aa39feefd380b28d33168a6910b7ec40dedd2974e6d1d2db0bad

    • SSDEEP

      12288:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOCBkVgfgLcbVgBe28Vk9Gm1OvClEjmD1Szi:fyXiPr7Gja8LsZuN6nQRXONQDKZsjOC0

    Score
    1/10
    behavioral13behavioral14

    • Target

      Reaper/Reaper/Scripts/Mad City 2.txt

    • Size

      266KB

    • MD5

      1f2e26cfc004bdc2f2de0679c8ff2568

    • SHA1

      82f610d4b99fd08b52ffdd7d23b9f036bdcf27ba

    • SHA256

      629a0b979031a8b94d19e55cc1974c1361b491b005ca6b2f849265c5812b39f4

    • SHA512

      155fd7696881f01e401028f39e123a3023d5f84dab1a41c8b0440587b00aa8d4bab6654414c6e5a49ffae69734cbf2f0dac68cb1106a717e4216c69ef762103b

    • SSDEEP

      3072:VS2T6iABa4FZmn//HRR4OhRUU8EdPpES4xFdbIy91oH34O91N8sh/:VVTPzYZmnnoOLUzEdR34xFdbIUoXJisB

    Score
    1/10
    behavioral15behavioral16

    • Target

      Reaper/Reaper/Scripts/TopKek V3.txt

    • Size

      81KB

    • MD5

      9e488b83078daf39e6f15f90c8d689cf

    • SHA1

      8602a9d4ecb5c4ea52f096e60b72607731c62277

    • SHA256

      c40fe38b134a8484794b773a363377ec8b37ed8bb5b5c88e182f4f7acc60b4c8

    • SHA512

      a86b60e792572ecc512ffad6eab8c271da206fe108d03c9c0156b5eea7a889c61943e88480a14f51ca787c79d084bc099cd3b01e7b5569e6149b3b079a45839a

    • SSDEEP

      768:l9dGinWaivTGFMoN6x94g+SnITXinAUJj0WFtdefC3ELZ7KhJDr0RzKokMy23ckW:Y3sr7b8W2PSh0gpNtiVtB

    Score
    1/10
    behavioral17behavioral18

    • Target

      Reaper/Reaper/injector.dll

    • Size

      19KB

    • MD5

      a4db6b21f7398882100909f37c1067a4

    • SHA1

      7b2a61d09e4959f4578b556196a8405a2f6e45f3

    • SHA256

      d986554d185d3f4e827a1287322210ff6a143ed723d203efbf00a8757aa13714

    • SHA512

      42bafe3ef80a748db64dfc88a159a06ee33cecb3f709f01d9c1a9e38d3ab81008f3226963c1c2e926f5e4b6e9442fd2f8a89b0fa5425d04db869cf7be7bddd31

    • SSDEEP

      384:5xE24iKOgW7+uPOxQkWWma3NCx7cTuOJ9jIwq6Am:5JVKVxPXWWmgIx7cKOEZFm

    Score
    1/10
    behavioral19behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

2
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Process Discovery

1
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks