Overview

overview

10

Static

static

10

cheat.exe

windows10-2004-x64

10

out.exe

windows10-2004-x64

loader.exe

windows10-2004-x64

10

map.exe

windows10-2004-x64

10

Resubmissions

28-06-2024 11:39

240628-nsm6raxdrf 10

28-06-2024 11:36

240628-nqxmeaxdjg 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    celexdlol.rar

  • Size

    634KB

  • Sample

    240628-nqxmeaxdjg

  • MD5

    9c502988a3c51eeaec26d08abaedb508

  • SHA1

    030fe0b43920c5293ac5c32eb41280de44743157

  • SHA256

    6e552c8d82a2553ec83fea57d340561834aeac22ae30d6a81692f2eee6651e14

  • SHA512

    3b84bd6a08d06547f180c583f587ee33b88848cd1f846afd0557501c5c486267cde218df5be37c818f5a2b1ccbbbfb391b859f7073bd6f92e2bfc1904f54347b

  • SSDEEP

    12288:Wzcn7EanlQiWtYhmJFSwUBLcQZfgipYedhDYedh0Yedhh:0cn7NlwPUdYQxYQCYQv

Score
10/10
xwormexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

submit-processing.gl.at.ply.gg:54034

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      cheat.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      out.upx

    • Size

      653KB

    • MD5

      6970ea0b6597dcd5b4f5f19f28e958a8

    • SHA1

      a0130bb7ac03ec4799c90781ca93fd1392c6d54c

    • SHA256

      481e03978ca339ce697252895efe89b09fefd3098ad247d24eeb6cca9969f553

    • SHA512

      bc95cbe9a050e3d3b713745ef399bf2817d38f8e019f6edffdd2bf755badbde766e434e39a7f32356125bba0692b694c18da8dd0762aac0c9430d45acb215e01

    • SSDEEP

      12288:nkxDoouVA2nxKkhEvdRgQriDJOIlW+yBGQowlNCWS:RRmJkioQrilOIc+yMx

    Score
    1/10
    behavioral2

    • Target

      loader.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      map.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

MITRE ATT&CK Enterprise v15

Tasks