Overview

overview

10

Static

static

3

fenta-logg...er.bat

windows7-x64

8

fenta-logg...er.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fenta-logger.rar

  • Size

    129KB

  • Sample

    240608-m5dmeaba4t

  • MD5

    dea091cb6f46f1f7e6a4444c77f38352

  • SHA1

    442a5f9f82113dd9996c8422ee8004336cde3c11

  • SHA256

    133be268db3fae30bff3cf8c42261f4129a5c7baf2ac0e2fa3f9dc92ad67abe2

  • SHA512

    86b41ba986b19b637ba8b91536e1f546a6dd325d548720d315908263de460209d0efe186d47b91742a89c1101cb5760a3c89ab4a6f64f4690ba9db3a0b077de3

  • SSDEEP

    3072:SWy5igZ/1Uu5aMoNQHtM21ZoEfrRkUb3nxcGEfS:SWy5iw1Uu5ostl1j9b3nV

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

movie-buddy.gl.at.ply.gg:40572

Attributes
  • Install_directory

    %Public%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      fenta-logger/bin/fixer/fixer.bat

    • Size

      88KB

    • MD5

      561c4ecf6ab3848d4d45ee983b5e6bd3

    • SHA1

      11e581a4bd84cad824f1dfce89962ab593b4193a

    • SHA256

      2b7272581314f0f4b3cd41c32cc9ebd5950eb1acf67601bd6bdf1365aacc8eab

    • SHA512

      1f6f460a4df29eb2a2b1f8bb932e549e51c4b257c3ce6808038d877a50fa3b8bccaea38aa900d00e9207a764f7aebfc0f9a7b5a07bc53a9902544e0d280ad716

    • SSDEEP

      1536:5BhqxndKixJiWoFnHgyUkepspzSIWoDMbQ3JAX/EnuztSePjy08+:57qDchgkhrZZAXMnW8eby0H

    Score
    10/10
    executionxwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks