blankgrabber | 1cf4d4852822a36a9c57c64e0a4a7c14c27751b448910f841e0733f586239814

Sharing

Copy URL

Twitter E-mail

General

Target

Desktop.rar
Size

7.7MB
Sample

240511-lwjxdsed84
MD5

9cc6e589dbec3c5a5c23d5899737167d
SHA1

1006e9353adfc58748d50affd780a6d158b97264
SHA256

1cf4d4852822a36a9c57c64e0a4a7c14c27751b448910f841e0733f586239814
SHA512

3181b2306583d01bb6e7b6d43f9bd22817d10162a0a9d6d6e99f0a1d6b30af82db3027f4e21075e18d51b1425d27693f3ee99e00ccba349341f47b60600986c3
SSDEEP

196608:0N8YGgYSzLbi79iF7vzUCADNX+03hVWcVRzZ8ri:9HgYSO67LeNXZLPjt8ri

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

3.0

else-movers.gl.at.ply.gg:28764

147.185.221.18:41012

Mutex

iXKagAiYnmlygFVn

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  fr2nnk.ex
- Size
  
  32KB
- MD5
  
  8d8bb72d313438d850c0fd079314e867
- SHA1
  
  7c3adc8b21b1404e506af0ba332a84f50f502038
- SHA256
  
  17ed10cc2d0e8a27b3823d7fdbe56a8a126e6b89f104e217d6d569fdfd88a679
- SHA512
  
  ed08efba52b9dcbf132e02a174e3526bd343145801367570d8bceac1a156582d553019a6e0df25afbacf620fc0d9c7543f0b52696fefb658a6060cc6ceddac49
- SSDEEP
  
  768:P1Xm1TliVBx7XDH4tyIJ8phhFyr9UBOjhe2Qx8:P1XmplgXHEJoFY9UBOjTQx8
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  grab.ex
- Size
  
  7.5MB
- MD5
  
  553d236d2a6a0a4ca78641f9a932ecaa
- SHA1
  
  3b0354f24b67f16efd93afcb95540886ef091490
- SHA256
  
  5ec487769f184e246bef6dc014df3eed2193d22c7887b0adedc4bb69299f8cf4
- SHA512
  
  e575738994a46704f14d44b9e38b3f9b67f2d507eb7fce7ada95b6dfe5697b783137de20dc88004f5fae964ffbcd47880447d6b07c2024353c7f926054333bc6
- SSDEEP
  
  196608:FyQsJbT/9bvLz3S1bA32O5iJdYW0+S5/Ukgdv:uJbTlj3S1bO2g8c+Si5
Score

10^/10

evasion execution upx spyware stealer
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6 behavioral7 behavioral8
- Target
  
  m2zen
- Size
  
  210KB
- MD5
  
  3ae919d27d1e034cdcd8825e6f439397
- SHA1
  
  e35e951c0e892e3213088766c80050f5ce4c88b2
- SHA256
  
  f227037997a514d0b16dfc8e02dfc522ba409768f3c2c5faba127762851a77ca
- SHA512
  
  f5a1969770c79f8c5abb313e11c445e5d135b8667a75aa407ccbbff69d02a22c9ac47db0d3e4f7238f4ba3fe1c0d57290904464802e4ee571c594e6075bb2921
- SSDEEP
  
  6144:2vyF8JOSSS/jEuVKmRo8J7RoxkAugtddd/uU2Nkyb5ZgFgvcjXCb:2w8J9LvWddmUaZzvcjW
Score

7^/10

persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral10 behavioral11 behavioral12 behavioral9
- Target
  
  winhlp32.ex
- Size
  
  205KB
- MD5
  
  a83dc22ef14c6b5d96aaee00b10a4973
- SHA1
  
  ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
- SHA256
  
  143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
- SHA512
  
  0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
- SSDEEP
  
  6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral13 behavioral14 behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm

Drops startup file

Adds Run key to start application

Deletes Windows Defender Definitions

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16