Overview

overview

10

Static

static

3

Tango Rele....4.exe

windows7-x64

10

Tango Rele....4.exe

windows10-2004-x64

10

Tango Rele...ts.dll

windows7-x64

1

Tango Rele...ts.dll

windows10-2004-x64

1

Tango Rele...ns.txt

windows7-x64

1

Tango Rele...ns.txt

windows10-2004-x64

1

Tango Rele...se.txt

windows7-x64

1

Tango Rele...se.txt

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Tango Release.rar

  • Size

    59.8MB

  • Sample

    240607-14nmwaed26

  • MD5

    cd308fa39380f2b5335f2a3d8e3349e5

  • SHA1

    5d4ed367a1e5fa9c3b51f64a468f371db10b9c1c

  • SHA256

    9ff074f53a4f69d30b5f5f8852fc026349a69d3588b42218edf12c96a6000e62

  • SHA512

    bd802ac0d93aabee3739ed1ceef5d4fb572ef6aa9585c755f8db37dbc2a931d8006dab8920529ba0659e18c21bae59929ddc790ef3585fa41f97a616669211b8

  • SSDEEP

    786432:n2Pk0MOE2Q4764pZ5rf3uyV2bfU61PsrVeDModLAeDoLJQOL8BIAmpnfUT7NnfeC:n2ZMOv7fuvb+AdLA6KRLjAf5fcvS2SR

Score
10/10
xmrigxwormevasionexecutionminerpersistencepyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Tango Release/Tango Release V1.4.exe

    • Size

      60.3MB

    • MD5

      4e7be8f8af00c2badd0aecaa9164a088

    • SHA1

      63ce85ee62895b8b0f42b03f1fe05dca1017d8e2

    • SHA256

      38caeabef38c9b02db8cfcd79c62421ea00f653c20b4e3453ece38828891887f

    • SHA512

      2d9d3c8d48727da86548732ec168d1c32ea1680633493674dad6d676a60324bb1e624d31b472737378adf0a01b4dd07cb3fdfb47b81e1df81c29d3a0972aa7b3

    • SSDEEP

      1572864:9V8Km0TjSpfZ79y2toCqztuExv57AhRFxZA:9GKnjSJDLibtuEd57UPZ

    Score
    10/10
    xmrigxwormevasionexecutionminerpersistencepyinstallerrattrojanupxspywarestealer

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Tango Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral3behavioral4

    • Target

      Tango Release/instructions.txt

    • Size

      302B

    • MD5

      b91989cc1085782007877cacd4a1dd42

    • SHA1

      9e6e7edd14410a6c0159250cc8150baaa579d923

    • SHA256

      f37680ea78e81fe9ba0403671c8080e3209161fb8918af09cc5bc46606569b48

    • SHA512

      6eb13a3d88474f5e2a44b95e9e1f88233dc11d500533e56cc3d13914339669ace9c347ca0a2421d551188dc868b6e646b52668c32b50e4dca404c12287d0a7ae

    Score
    1/10
    behavioral5behavioral6

    • Target

      Tango Release/license.txt

    • Size

      6KB

    • MD5

      0b09566254b011d989decf0e23a902eb

    • SHA1

      3ae5cd6be73daf418b8deee9c865cf78225838c9

    • SHA256

      a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1

    • SHA512

      4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b

    • SSDEEP

      192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks