General

  • Target

    515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe

  • Size

    15.8MB

  • Sample

    240616-bhtvbssgne

  • MD5

    f192b4e9cf07850041e19ea07cd984e3

  • SHA1

    061a917e9691648e00a7f91ff82ae1c0e8da248b

  • SHA256

    515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

  • SHA512

    19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a

  • SSDEEP

    393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClienamrt.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.1.8:7788

Mutex

66d1b8410b347e24d21ce9ad910a4de7

Attributes
  • reg_key

    66d1b8410b347e24d21ce9ad910a4de7

  • splitter

    |'|'|

Targets

    • Target

      515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe

    • Size

      15.8MB

    • MD5

      f192b4e9cf07850041e19ea07cd984e3

    • SHA1

      061a917e9691648e00a7f91ff82ae1c0e8da248b

    • SHA256

      515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

    • SHA512

      19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a

    • SSDEEP

      393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

    • Detect Xworm Payload

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables (downlaoders) containing URLs to raw contents of a paste

    • Detects executables using Telegram Chat Bot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks