General

  • Target

    Robux Haker.exe

  • Size

    80.3MB

  • Sample

    240525-talsvshf3y

  • MD5

    d580e78fe8a1317e2a3b54d59aa278b8

  • SHA1

    fd9957c286344436c705b2a45d1551d4c94360ba

  • SHA256

    a3454cd22568fe6e617734e051eb68218bd977bf48a43e06a22d06afaae42976

  • SHA512

    5ddb8dc42211cac7979f1223d90e946affcb9af37a95243abe13c3399401ddfa85727e81218450ba73353db9c8f57ada123dc0c002d31e492499fea7af195a55

  • SSDEEP

    1572864:RSpUaiMnf8EpR3ULukwsJZzJJISAUPWJ8fDSzNCBefgOXzzyaWjkm4PL:I3nf7b3AukwsiUQ8fDwNyefgOXakms

Malware Config

Extracted

Family

xworm

C2

MEZO:7000

51.252.153.62:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

  • telegram

    https://api.telegram.org/bot7168105056:AAFuCvmRFCu4d1tQpp-hoVahbWiR2XeHgHc/sendMessage?chat_id=1992635040

Targets

    • Target

      Robux Haker.exe

    • Size

      80.3MB

    • MD5

      d580e78fe8a1317e2a3b54d59aa278b8

    • SHA1

      fd9957c286344436c705b2a45d1551d4c94360ba

    • SHA256

      a3454cd22568fe6e617734e051eb68218bd977bf48a43e06a22d06afaae42976

    • SHA512

      5ddb8dc42211cac7979f1223d90e946affcb9af37a95243abe13c3399401ddfa85727e81218450ba73353db9c8f57ada123dc0c002d31e492499fea7af195a55

    • SSDEEP

      1572864:RSpUaiMnf8EpR3ULukwsJZzJJISAUPWJ8fDSzNCBefgOXzzyaWjkm4PL:I3nf7b3AukwsiUQ8fDwNyefgOXakms

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks