Overview

overview

10

Static

static

10

cheat.exe

windows10-2004-x64

10

dControl.exe

windows10-2004-x64

7

loader.exe

windows10-2004-x64

10

map.exe

windows10-2004-x64

10

Resubmissions

28-06-2024 11:39

240628-nsm6raxdrf 10

28-06-2024 11:36

240628-nqxmeaxdjg 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    celexdlol.rar

  • Size

    634KB

  • Sample

    240628-nsm6raxdrf

  • MD5

    9c502988a3c51eeaec26d08abaedb508

  • SHA1

    030fe0b43920c5293ac5c32eb41280de44743157

  • SHA256

    6e552c8d82a2553ec83fea57d340561834aeac22ae30d6a81692f2eee6651e14

  • SHA512

    3b84bd6a08d06547f180c583f587ee33b88848cd1f846afd0557501c5c486267cde218df5be37c818f5a2b1ccbbbfb391b859f7073bd6f92e2bfc1904f54347b

  • SSDEEP

    12288:Wzcn7EanlQiWtYhmJFSwUBLcQZfgipYedhDYedh0Yedhh:0cn7NlwPUdYQxYQCYQv

Score
10/10
xwormexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

submit-processing.gl.at.ply.gg:54034

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      cheat.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      dControl.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    7/10
    upx

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral2

    • Target

      loader.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      map.exe

    • Size

      61KB

    • MD5

      427cae9ddc40f9a7ea51459fc265d9be

    • SHA1

      8c68b6be3529637908878e64a020dd99c3bf98ad

    • SHA256

      4a1a9976a6fc9351ce34db0c601952328f52b526894cea614b51879c065e89a4

    • SHA512

      da5d985814986580a53712df240dad2dd876a16aeebab7e89ddc9968a8d2305dbf1cb695e1fa812ac534f27f1dfabf1be8aedac1f07d1b311163843f905a47a1

    • SSDEEP

      1536:SAXBcwCcPCxLgk2BeVbcqbhc48Ulk36nJNOOKLj:SAyvcPCaJe9Pbhc0hcOKLj

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral4

MITRE ATT&CK Enterprise v15

Tasks