Overview

overview

10

Static

static

10

Astral.exe

windows11-21h2-x64

10

Resubmissions

27/06/2024, 13:57

240627-q9n6gsxajl 10

27/06/2024, 13:54

240627-q7s2nathrg 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Astral.exe

  • Size

    346KB

  • Sample

    240627-q9n6gsxajl

  • MD5

    eade82b2494f8d47a94f181b06476771

  • SHA1

    7ffe8d031c745da69bbf935096294a4e6d72f02a

  • SHA256

    087ddd27aef668f5ce26030cea6e730cdecdb427a57720445b93e9f60aab4d54

  • SHA512

    b3617fba5e4d3f8bbff99ed1aed21b7396571ce63e17f80d2535ba20e459c7252c83220025e72c3d997f2f86893520928ab99c6b155968b7a7809a65d9f7f6af

  • SSDEEP

    6144:YFGabOrNm+MFCjfOFzmLRf2jWp41TKDWm+O:YFG7IR4/6EV

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

record-co.gl.at.ply.gg:46979

Attributes
  • Install_directory

    %AppData%

  • install_file

    Astral.exe

Targets

    • Target

      Astral.exe

    • Size

      346KB

    • MD5

      eade82b2494f8d47a94f181b06476771

    • SHA1

      7ffe8d031c745da69bbf935096294a4e6d72f02a

    • SHA256

      087ddd27aef668f5ce26030cea6e730cdecdb427a57720445b93e9f60aab4d54

    • SHA512

      b3617fba5e4d3f8bbff99ed1aed21b7396571ce63e17f80d2535ba20e459c7252c83220025e72c3d997f2f86893520928ab99c6b155968b7a7809a65d9f7f6af

    • SSDEEP

      6144:YFGabOrNm+MFCjfOFzmLRf2jWp41TKDWm+O:YFG7IR4/6EV

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks