Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
1Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
03-09-2024 14:02
240903-rb57sazdqf 1003-09-2024 13:51
240903-q59avszclf 1002-09-2024 19:51
240902-yk8gtsxbpd 1002-09-2024 02:27
240902-cxh7tazflg 1002-09-2024 02:26
240902-cwxc2sygll 1021-06-2024 19:37
240621-yca7cszgnd 1009-06-2024 17:07
240609-vm7rjadd73 1013-05-2024 17:36
240513-v6qblafe3y 1012-05-2024 17:17
240512-vty3zafh5s 10Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 16:15
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240419-en
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240508-en
General
-
Target
RAT/XClient.exe
-
Size
172KB
-
MD5
75ba783757c5b61bd841afa136fc3eda
-
SHA1
8db9cda9508471a23f9b743027fa115e01bc1fe1
-
SHA256
75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
-
SHA512
9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
-
SSDEEP
1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/2jTT3Lnj
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral8/memory/4088-1-0x00000000009C0000-0x00000000009F0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2216 powershell.exe 4772 powershell.exe 5072 powershell.exe 2152 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 21 pastebin.com 22 pastebin.com 24 7.tcp.eu.ngrok.io 47 7.tcp.eu.ngrok.io 58 7.tcp.eu.ngrok.io 60 7.tcp.eu.ngrok.io -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4772 powershell.exe 4772 powershell.exe 5072 powershell.exe 5072 powershell.exe 2152 powershell.exe 2152 powershell.exe 2216 powershell.exe 2216 powershell.exe 4088 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4088 XClient.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 5072 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 4088 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4088 XClient.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4088 wrote to memory of 4772 4088 XClient.exe 89 PID 4088 wrote to memory of 4772 4088 XClient.exe 89 PID 4088 wrote to memory of 5072 4088 XClient.exe 91 PID 4088 wrote to memory of 5072 4088 XClient.exe 91 PID 4088 wrote to memory of 2152 4088 XClient.exe 93 PID 4088 wrote to memory of 2152 4088 XClient.exe 93 PID 4088 wrote to memory of 2216 4088 XClient.exe 95 PID 4088 wrote to memory of 2216 4088 XClient.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82