Overview
overview
10Static
static
3Wave/CefSh...me.dll
windows11-21h2-x64
1Wave/WaveW...nc.exe
windows11-21h2-x64
10Wave/bin/lz4.dll
windows11-21h2-x64
1Wave/bin/wolfssl.dll
windows11-21h2-x64
1Wave/bin/xxhash.dll
windows11-21h2-x64
1Wave/bin/zlib1.dll
windows11-21h2-x64
1Wave/bin/zstd.dll
windows11-21h2-x64
1Wave/d3dco...47.dll
windows11-21h2-x64
3General
-
Target
wv.zip
-
Size
8.1MB
-
Sample
240722-f4s75s1cmm
-
MD5
74f1a556858306f10facdd13afef3876
-
SHA1
2785e176a4fb8360ed0708205104a77d48e385a2
-
SHA256
c7a74e51044e62ab518f212afb21d7fbe6ad6cc428868ebb8729e754bd8b0b10
-
SHA512
1af1c05ba7e5043928c7d4b14db051dc07445e7ed950bc4f9a751cefc9b44f729f0a91690695d7f4863dcb96ba8877ff6c4735761c1b518c03bf3280e380f6d7
-
SSDEEP
196608:YxDW3hc30N6CimAPcLvKX9WMpacf1drt1VEy:mD0cc6CLOcLyX9WTSl9Ey
Static task
static1
Behavioral task
behavioral1
Sample
Wave/CefSharp.Core.Runtime.dll
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
Wave/WaveWindows-nc.exe
Resource
win11-20240709-en
Behavioral task
behavioral3
Sample
Wave/bin/lz4.dll
Resource
win11-20240709-en
Behavioral task
behavioral4
Sample
Wave/bin/wolfssl.dll
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
Wave/bin/xxhash.dll
Resource
win11-20240709-en
Behavioral task
behavioral6
Sample
Wave/bin/zlib1.dll
Resource
win11-20240709-en
Behavioral task
behavioral7
Sample
Wave/bin/zstd.dll
Resource
win11-20240709-en
Behavioral task
behavioral8
Sample
Wave/d3dcompiler_47.dll
Resource
win11-20240709-en
Malware Config
Extracted
xworm
5.0
C9IM3x5CL1ZIpfuG
-
Install_directory
%LocalAppData%
-
install_file
ReAgentC.exe
-
pastebin_url
https://pastebin.com/raw/UWpQULMP
-
telegram
https://api.telegram.org/bot7420124943:AAF1r0gN9LdH2HJhpp3RjQMBU2cphBasfrs
Targets
-
-
Target
Wave/CefSharp.Core.Runtime.dll
-
Size
1.3MB
-
MD5
09cba584aa0aae9fc600745567393ef6
-
SHA1
bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
-
SHA256
0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
-
SHA512
5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
-
SSDEEP
24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI
Score1/10 -
-
-
Target
Wave/WaveWindows-nc.exe
-
Size
5.5MB
-
MD5
e9c64620dc920a64a2448e78de1cff90
-
SHA1
08e62b663da83d2fe304bba18381e87192313201
-
SHA256
26838283be0848527497674165c96a7683ccdbac999d8a226d9878a3ca7717a5
-
SHA512
83ef90821b8da79218c20c0ab287c1155f6d9fe36bee0419187ef215c73a66c33502966cfef4c17ac89502777518f1d00357387716ef914b0c82b0615ea12fc3
-
SSDEEP
49152:N3hTD+mOHaN2e1AUgbOtf7s51lL7Grsm4IPMWnjy5EAP+VZ1LojCWvzThoCW0vai:RJj2etsR7Ggm2Ey1yJvUyb
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
-
-
Target
Wave/bin/lz4.dll
-
Size
117KB
-
MD5
f7e2f224f8dbe22012c7ff20590b8770
-
SHA1
99775e038e306a2b5f73f6e7d8d42a5799ace824
-
SHA256
c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70
-
SHA512
96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89
-
SSDEEP
1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk
Score1/10 -
-
-
Target
Wave/bin/wolfssl.dll
-
Size
1.2MB
-
MD5
a396ee8375252d04da31676fe1b3ff75
-
SHA1
57aee1e5b69a85d0e0b7d5a103ddb683f0204cce
-
SHA256
7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25
-
SHA512
ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db
-
SSDEEP
24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE
Score1/10 -
-
-
Target
Wave/bin/xxhash.dll
-
Size
45KB
-
MD5
161bd3d60228dd16c54a927250af3e49
-
SHA1
463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6
-
SHA256
ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7
-
SHA512
3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b
-
SSDEEP
768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS
Score1/10 -
-
-
Target
Wave/bin/zlib1.dll
-
Size
87KB
-
MD5
f6fc96cfccdd9958a157546faa4c13a9
-
SHA1
ae8e4171a0583a761ae4428e5757daeedaf2a157
-
SHA256
231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da
-
SHA512
fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc
-
SSDEEP
1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH
Score1/10 -
-
-
Target
Wave/bin/zstd.dll
-
Size
634KB
-
MD5
59c9f23830bfb7b4fdc81bbd1e719810
-
SHA1
e58049c836931a22768ce2e4502b3a856e2ecd18
-
SHA256
9c37186c40d01e0ed9a42846c66aba449be5fe6c2da18ef6794422b5fa2ff8eb
-
SHA512
b52f1d0e764159453ddebd70665c3a43c61e963651cf671db8994c74f2dd35dcfc79b2c4d19c5e8d6c8564c824285426c1ec651b02f1956d331447e9405212ff
-
SSDEEP
12288:iilkxK/S1adDEh1qMkUFZe8/pJcOAAqy:iilkb1adDEh1qMkYZe8/pJxAAZ
Score1/10 -
-
-
Target
Wave/d3dcompiler_47.dll
-
Size
3.9MB
-
MD5
3b4647bcb9feb591c2c05d1a606ed988
-
SHA1
b42c59f96fb069fd49009dfd94550a7764e6c97c
-
SHA256
35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
-
SHA512
00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
SSDEEP
49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1