Overview
overview
10Static
static
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
1798s -
max time network
1805s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 18:05
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
RAT/31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/file.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
Ransomware/default.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Stealers/lumma.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240426-en
General
-
Target
RAT/XClient.exe
-
Size
172KB
-
MD5
75ba783757c5b61bd841afa136fc3eda
-
SHA1
8db9cda9508471a23f9b743027fa115e01bc1fe1
-
SHA256
75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
-
SHA512
9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
-
SSDEEP
1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/2jTT3Lnj
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral4/memory/772-1-0x0000000000890000-0x00000000008C0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1276 powershell.exe 5084 powershell.exe 4968 powershell.exe 4592 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs
flow ioc 96 7.tcp.eu.ngrok.io 139 7.tcp.eu.ngrok.io 17 pastebin.com 197 7.tcp.eu.ngrok.io 18 pastebin.com 57 7.tcp.eu.ngrok.io 88 7.tcp.eu.ngrok.io 189 7.tcp.eu.ngrok.io 248 7.tcp.eu.ngrok.io 20 7.tcp.eu.ngrok.io 115 7.tcp.eu.ngrok.io 147 7.tcp.eu.ngrok.io 165 7.tcp.eu.ngrok.io 173 7.tcp.eu.ngrok.io 79 7.tcp.eu.ngrok.io 226 7.tcp.eu.ngrok.io 123 7.tcp.eu.ngrok.io 159 7.tcp.eu.ngrok.io 241 7.tcp.eu.ngrok.io 219 7.tcp.eu.ngrok.io 44 7.tcp.eu.ngrok.io 64 7.tcp.eu.ngrok.io 72 7.tcp.eu.ngrok.io 106 7.tcp.eu.ngrok.io 182 7.tcp.eu.ngrok.io 206 7.tcp.eu.ngrok.io 212 7.tcp.eu.ngrok.io 132 7.tcp.eu.ngrok.io 154 7.tcp.eu.ngrok.io 233 7.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 5084 powershell.exe 5084 powershell.exe 4968 powershell.exe 4968 powershell.exe 4592 powershell.exe 4592 powershell.exe 1276 powershell.exe 1276 powershell.exe 772 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 772 XClient.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 4968 powershell.exe Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 772 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 772 XClient.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 772 wrote to memory of 5084 772 XClient.exe 89 PID 772 wrote to memory of 5084 772 XClient.exe 89 PID 772 wrote to memory of 4968 772 XClient.exe 91 PID 772 wrote to memory of 4968 772 XClient.exe 91 PID 772 wrote to memory of 4592 772 XClient.exe 93 PID 772 wrote to memory of 4592 772 XClient.exe 93 PID 772 wrote to memory of 1276 772 XClient.exe 95 PID 772 wrote to memory of 1276 772 XClient.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD52d06ce10e4e5b9e174b5ebbdad300fad
SHA1bcc1c231e22238cef02ae25331320060ada2f131
SHA25687d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA51238cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82