Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
24-04-2024 09:16
General
-
Target
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
-
Size
196KB
-
MD5
edd7441051bbf509ef1052d9f2a02c8f
-
SHA1
7338ef9ddb0b59228b31c6b7931fae04ace344e8
-
SHA256
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
-
SHA512
0aa4f2666213b571114cdd56c859200ab34a615cde57e67d142d4522369c74b8d4c37c9c95c97a76b93abbb0795ce698e4a888e646fdd2b05fe80f81da074f93
-
SSDEEP
3072:LhAMBSpVNwpB7/LaX6No7INoSXlb2Q4u3lriJYzr9B/erenNecMnq+ECqmIkk6:LaP+fvLW7IVXliQz3l//3Pyq+RqmI
Malware Config
Extracted
xworm
127.0.0.1:7000
91.92.252.220:7000
-
Install_directory
%Temp%
-
install_file
mstc.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
IDS
91.92.252.220:9078
Extracted
limerat
bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt
-
aes_key
KILLER
-
antivm
false
-
c2_url
https://pastebin.com/raw/4EtQAvTV
-
delay
3
-
download_payload
false
-
install
true
-
install_name
browser.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Signatures
-
Detect Xworm Payload 2 IoCs
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\XClient.exe"C:\ProgramData\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\browser.exe'"3⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\browser.exe"C:\Users\Admin\AppData\Roaming\browser.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\browser.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'browser.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\mstc.exeC:\Users\Admin\AppData\Local\Temp\mstc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mstc.exeC:\Users\Admin\AppData\Local\Temp\mstc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD55b7ac9829cdca0b5e82604191dcc1d4e
SHA15e944b6afea5db67b4d272a7b02bdf5501ca213f
SHA256bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251
SHA512505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33
-
Filesize
95KB
MD5d32bddd3639f42733a78945885002128
SHA16dcfc09b8c86e79ac70a63132a5162d3616c6479
SHA25634dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e
SHA512b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD54a7f03a7ad1cae046d8ceac04256e5ae
SHA1ef0bf767c91cba32b33c0b48f74f5eb153ae43d3
SHA256e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60
SHA512382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d
-
Filesize
944B
MD515cba9af0569043c070ef13f57e66645
SHA13d95c089505a02d4f68df724d1eeb150959bd4aa
SHA256acd8646d89455f2a58f8565aed21a3523d4614bce8986e3d2f6d86334a443a17
SHA5127aa7e2afcdee48bed8fd6913911420ee6772c0cf31c206d2f2b77e34f06d03b80ade4e9c691b0aed278276321be410475f74af966fde70e27ea6cb7a4630fdbe
-
Filesize
944B
MD5aa6b748cd8f3e3c0e41549529b919e21
SHA15a4b9721f9fb5042f6ef7afd698d5ac5216a88bb
SHA256d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8
SHA512361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
Filesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5621d7d1f292cc7cc954c1be9d3919e26
SHA1f709611a510ee7dd387b133f833d117bd09cbfb0
SHA25661eefc7b7f4c499d9c4b139edda5b5494f8b7b0af059d8ed9b46f7d2f74a25ca
SHA512a7edf735f0c24d73e6df3f00f4d0021d0da0cc325ba74f39a99765557756378a7b4ccf656366ec7fdc8c32b9ce851ccbe62fa51791ad14f04d83da0cb683e949
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
1.1MB
-
Filesize
3.3MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
224KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB