Overview

overview

10

Static

static

3

Nexus Rele...ok.dll

windows11-21h2-x64

1

Nexus Rele....7.exe

windows11-21h2-x64

10

Nexus Rele...ts.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nexus Release.rar

  • Size

    20.1MB

  • Sample

    240614-r2t77syejk

  • MD5

    ab3c1fd848d5570a40bb17a8d7b2107a

  • SHA1

    351090de4d1200f7d53810fd4534ba56372a21f3

  • SHA256

    b895ad7a2e10bc61670d50322612490e99a66cfd95a7a005a7ce5662617083f5

  • SHA512

    03c38e025af6b195e26a78f203e60b6c059c34508af93c545aa06bbc8fe1fbd87afc6d50246d799c9459a322134241d46a7c4915d74e318a2f01cc64069f7b32

  • SSDEEP

    393216:nezoWhX6DGw9q7AMeMW5wnfctGqovafOdPG9EZP/0CPa0o7rPKsZ4GsVwD:ezhXFw9q7feMWsfEcmOo9acga0CrPgJs

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Nexus Release/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    behavioral1

    • Target

      Nexus Release/Nexus Release V1.7.exe

    • Size

      20.1MB

    • MD5

      253575deb2d3ea6f88d960bdd4199170

    • SHA1

      7e0ecd244840472324d4ebec097c50983ddaec0d

    • SHA256

      14a8a060706a3a20704260d43910fb96a7f727d399b08f946cc9a2db1875ee6e

    • SHA512

      5833a87198ba997110f293a251394870035f247ba3aea4af6782ce5e1ae4dd5e8e163ccb53713435fe5b9e832bba5d23b3261b9e07a73e60bcd5bf622bd782e4

    • SSDEEP

      393216:yuxL64bjP10Io0Yl/fsQ1s3dKHg8rYT3mH8Ac7wzli5fxslEe8OqF0EaVr5tye:RxPvW70YltWf8MT2HvcMzlcpsme8OqFO

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral2

    • Target

      Nexus Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks