Overview
overview
10Static
static
3CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10CatrinePer...rm.exe
windows7-x64
10CatrinePer...rm.exe
windows10-2004-x64
10f_000004.js
windows7-x64
3f_000004.js
windows10-2004-x64
3f_00001c.js
windows7-x64
3f_00001c.js
windows10-2004-x64
3CatrinePer...9_0.js
windows7-x64
3CatrinePer...9_0.js
windows10-2004-x64
3CatrinePer...0_0.js
windows7-x64
3CatrinePer...0_0.js
windows10-2004-x64
3CatrinePer...Ex.dll
windows7-x64
1CatrinePer...Ex.dll
windows10-2004-x64
1CatrinePer...PC.dll
windows7-x64
1CatrinePer...PC.dll
windows10-2004-x64
1CatrinePer...ro.dll
windows7-x64
1CatrinePer...ro.dll
windows10-2004-x64
1CatrinePer...re.dll
windows7-x64
1CatrinePer...re.dll
windows10-2004-x64
1CatrinePer...ms.dll
windows7-x64
1CatrinePer...ms.dll
windows10-2004-x64
1CatrinePer...pf.dll
windows7-x64
1CatrinePer...pf.dll
windows10-2004-x64
1CatrinePer...rs.dll
windows7-x64
1CatrinePer...rs.dll
windows10-2004-x64
1CatrinePer...on.dll
windows7-x64
1CatrinePer...on.dll
windows10-2004-x64
1Revo_Unins...up.exe
windows7-x64
7Revo_Unins...up.exe
windows10-2004-x64
7CatrinePer...rp.dll
windows7-x64
1CatrinePer...rp.dll
windows10-2004-x64
1General
-
Target
CatrinePerm.rar
-
Size
35.3MB
-
Sample
240729-nn71cs1bmh
-
MD5
93f852fd8dd762369828309c5514693a
-
SHA1
3771382cf84495e1aaffa6350d958320492695f3
-
SHA256
8e5387b8e5b1d7437979f00b42b6b481281f9ced1c3a7101f6a5832402563e5b
-
SHA512
45d8330041d3a03d26ed224aaa70663b1c91955159f9dfb23ed1d757c8018ea4279d7aca2f25b1c89f60f85e48f71242d326cdede6e9e1314b0bee3dc56a6eae
-
SSDEEP
786432:kuH8IqFfBevGJk7CZzIDe3AWTdzmpgwfXhf232fSiiAMkA4:jHQBeGDx3AcFMgwPhfJf/if4
Static task
static1
Behavioral task
behavioral1
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
CatrinePerm/CatrinePerm.exe
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
CatrinePerm/CatrinePerm.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
f_000004.js
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
f_000004.js
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
f_00001c.js
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
f_00001c.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0.js
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
CatrinePerm/ControlzEx.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
CatrinePerm/ControlzEx.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
CatrinePerm/DiscordRPC.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
CatrinePerm/DiscordRPC.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
CatrinePerm/MahApps.Metro.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
CatrinePerm/Microsoft.Web.WebView2.Core.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
CatrinePerm/Microsoft.Xaml.Behaviors.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
CatrinePerm/Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral31
Sample
CatrinePerm/SevenZipSharp.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
CatrinePerm/SevenZipSharp.dll
Resource
win10v2004-20240709-en
Malware Config
Extracted
xworm
78.69.106.17:8000
-
Install_directory
%AppData%
-
install_file
Update.exe
Targets
-
-
Target
CatrinePerm/CatrinePerm.dll
-
Size
811KB
-
MD5
5aabc1aaec4fe6297da47c8d327ddd29
-
SHA1
ddfb19d827747f4ed4e59d4f2975f7017568e974
-
SHA256
45df56d3bd73f3dd6ee05a8d77afd52d61012d1742cae6e42196f9f6f236f6d8
-
SHA512
290b5f9e373b39f41b235ea09d90d026db38e0e63b7f660ff020d9c99819d7baa051fe5fae8221fc8eb5ac635a65de47ba127da2453e7d3a25f1ca337afb9fd6
-
SSDEEP
12288:bwr+M1vyQiO+e7tmMjg4yDY7YjqhRNecqnfpQzt562ByZG3Xw5FP/umZtD1ryHsw:MzDE4Hzn2pstQEyZGw5F+SD1OHo6T
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
CatrinePerm/CatrinePerm.exe
-
Size
11.2MB
-
MD5
edd32d80dd14f84c7924e4af2953ba9e
-
SHA1
0caf3a1acc853056616d9348aa93e8c0e11e3e99
-
SHA256
95144e30ef6994482dd42a0ca261014bb9e2d3a3ca3520057918f6c1d4011a84
-
SHA512
69e2eb5b81f2b4060eca0b66c88eb30c7f8936adce48bb4fe38bfeefd34d7ed0d152463d26c21dd159888f263d23a4206f0c332e24bce8f6e8a1d00ae221f063
-
SSDEEP
196608:84ukkzY1CYQC8H6PWla1FsJ2kdEimSkXrXhUCrcfUUYuH+wDaLs5:84uBY1CY58H6f1FnkdRQbXhUCQcQm2
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
f_000004
-
Size
2.4MB
-
MD5
46a47acda7fdd80dd473759e32ce4cdd
-
SHA1
07228c70d179792e0fa8706bc80c8d93c24048ee
-
SHA256
2901a0f7ee3a0f9d1beb6ace1e96a14f53562ced4c8e2db18a9ed8219716b99a
-
SHA512
2baabf0de9b0339c625fcb7de455e068ecc471164be170eb41906ae7c6552e19482034270d616a2518fa281088fc18cc01dc8699e8b09e031d30b43f5ffd12a8
-
SSDEEP
24576:TT5OK3WfXiExqyHTzmG5o40P2CIQ5kNZFx/IbM22TKFNENt8hvC+G:v5Oq8BqP21Q52ZFVIJ2TKFN4uvCF
Score3/10 -
-
-
Target
f_00001c
-
Size
2.4MB
-
MD5
4ee2fb755967abaa5dfa3077533ea641
-
SHA1
28cb2ab2c5bd0f504d57ef111dcc7ecbb4564cf3
-
SHA256
b06870081ed26e46b05c8909ac0e9d928249e0547a3ef0985434c54bb47a1ee8
-
SHA512
e022241069c7e3b9eee8d5047cea51360caf46e7b4647aba44e1167146f0fe8098ada0158087ca51eb484fb7845fbed0b5f113ebf916f96b724932329b6b3c46
-
SSDEEP
24576:kMoPLfNOhG6ZnykiUYfhsLPyQ/iZSOXAB6JVlDfF7pJYW3+vav1vV:JoPLlrmPyQ6ZHXAoVNF7pJPuiv1d
Score3/10 -
-
-
Target
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/834cfe7d63b4b479_0
-
Size
52KB
-
MD5
907a4d3235fc0d5697c35d487c85d26b
-
SHA1
f36c4d32175f51fc382ddce94652f1b7b4e94f7d
-
SHA256
5359c3853e7ecbbcda58b3ce89ad48630958041656ecf5d541b9509c60611cd0
-
SHA512
b15604fcaac678280f8dec044388b666ffc4cb0dba3b7f468c57fcc580bd0bf3782330f21b244ab6a947a3ef7064a2e168b5e355e927598e382a9a6f011b000c
-
SSDEEP
768:3SyJmvdqGyhyNt5IXRt3s/BjLmnktzu2xYWbWYtiu2/lfJVpYDGFo6zY3nFZZEPY:iyJmvdO4/K2ynHqjH2hJHWd681ZK4P+
Score3/10 -
-
-
Target
CatrinePerm/CatrinePerm.exe.WebView2/EBWebView/Default/Code Cache/js/e9cf90305a4e5760_0
-
Size
52KB
-
MD5
eee55503dcb1500eb69b3a3d3a67a936
-
SHA1
b53c45a32cf4b2ea7b2dbeac3410185744823da0
-
SHA256
2d3e221b28a0d99397cafd80b84a8e5f660013a5015da37e26ac679d9298d7a6
-
SHA512
5a3c4f899730ab2fac9543c670f99c8735dab87af3f3f6969e6977bb1f466bb1836d1d8ccaaca6fa920a2e3067a08797ce95f39c6f1ab098cf7f5eb9147a42cf
-
SSDEEP
1536:YF6J1Jq7DUmEzme6/TJs/9yBpSl0XVBQvf4+CFJf:1J1UEyJ/TJNB3QvAnf
Score3/10 -
-
-
Target
CatrinePerm/ControlzEx.dll
-
Size
245KB
-
MD5
6def9baa2552c072cea16b155fed0668
-
SHA1
93c9c9a7bf892d102f75b7fbadcc997488b4ed34
-
SHA256
3eceee9042e90da4a433007729778f72516f762599f7920839c751e180a47cb0
-
SHA512
62ef6519d0aa5979acd11067ff129ebb85bf62df8e66e395423b0cf33e5aa1541f2a028d38f2f6647cc129f6cc8be381b9c4762928fd4d163a1614652f5984ac
-
SSDEEP
6144:kv/YsKAsoWDJH5u6YAZBEmR8OpY82gb7gP2rxp+7vVNviPF1vdy0+mE:kyVoOJBRTdl2
Score1/10 -
-
-
Target
CatrinePerm/DiscordRPC.dll
-
Size
82KB
-
MD5
c6115a08c8e50dac0194fb98d3edc9d2
-
SHA1
903da7fb7ad47b7ad8eb5984ed54a865f6148744
-
SHA256
4dd4d48e0681604e3a7a72b6eae42173421d0b806b1af8fa03b45d9999978499
-
SHA512
3e43f721cf7b1ab28a4ff771b4186c70523eb2bd236063111593453c08dc8a7cf3fffd6a15af72502e8b800a35fbc7a7bd4ebb5b8f5f41796ee62a7a4a96c324
-
SSDEEP
768:eZGfuhWbsoZkmJPTsERSrxWjOFB8ZZnwUMOpSJAT9wQtc3nIYH+nijpJRMnk56Ha:TWIbP3QxWjOQ5pYlPMkh+mTxtSNy
Score1/10 -
-
-
Target
CatrinePerm/MahApps.Metro.dll
-
Size
3.4MB
-
MD5
fe25094bf44c6e3c8d6145bfec1ef2d2
-
SHA1
50696530bd5f24f30ae90742da6bf7bccbafaac0
-
SHA256
68768ebd9b04ebe7d9f093414c94a4f550741b7f3cf6ec3089b62c0fa76ee308
-
SHA512
9632dceb87befcb04af648c1fd70ffb6f2e497de1026cf9422d3ba4a07f03387e75d5bb85dfdb1e1137d1bf5ac2b66ac984e5417e43e1c47d25df992a25b9f21
-
SSDEEP
24576:xkcYr/qDOGL4/7qDL2P/1Y5e1bq7mTv+iruHt+Q:fUlPM2bq7mTv+iru5
Score1/10 -
-
-
Target
CatrinePerm/Microsoft.Web.WebView2.Core.dll
-
Size
523KB
-
MD5
9f9feedb05b87e1be1c7ab710655d0e8
-
SHA1
2886a398d065e13f667b974180589baff890d2b3
-
SHA256
5e172b4f558723b7dbb7f568f301077c84d6571436fbe5a5f45bfa621c020403
-
SHA512
397be2264710120f1f6c419fc7e6a95915eabd0b0586461fadf7335d3b3e0bc35ebca96acf5cb4002a46f6aef90c0238564519c47c7c62c995b1d7469158b287
-
SSDEEP
12288:qDrB322zh+iKsRFN/eA+imQ269pRFZNIEJdIEY0lxPrEIgcvLcglxMwCepM1SwU1:Zj
Score1/10 -
-
-
Target
CatrinePerm/Microsoft.Web.WebView2.WinForms.dll
-
Size
39KB
-
MD5
4caae0e27f1c493ad732e3a49b38b097
-
SHA1
4319402a47be6c022552612303b6dca6eed4bade
-
SHA256
32a1e3f4184ce03122c4503b53a7983204fa38e030dcdbbfe64f1b471fd12c42
-
SHA512
0ff25e58b8e761e0c5b1a419b35547b4de8f02f2fe07e5ac8bc992bde46ac9fcae261bfd31ab90d9a669fa58cc87b798ec0a9de144245f6e39318e6b4c2eb83e
-
SSDEEP
768:L41nHCqoU2GmbUt5740eObba2yfhZDgcEST3p4Jjrjh2jJTSG2au8vxJKia5/ZiE:L+bxyfhZDgcEST3p4JjrjaJTSG2au4xc
Score1/10 -
-
-
Target
CatrinePerm/Microsoft.Web.WebView2.Wpf.dll
-
Size
47KB
-
MD5
60aac68fd5215f9f2f703bf3d61f7100
-
SHA1
fafde9b5785400a013e84b6bccaa5c352589b16b
-
SHA256
1eaff15b01117b888678bf552a04b2097f64b11adf01f566e4a8c4eb0f2eeb4d
-
SHA512
8d86fe304eda0d66b9e7a7257f7f4254a5f8ac72cc5d6760497ce8284650734f224b8097d9b4f6c9b5a7941c278f5e2e9af5a51f6fe48d185376e32a826351d7
-
SSDEEP
768:0rYDVkqAbSEJL637/mkqlw8fDP/ryEH0tBy4JjrD1h2jBhlUaGzkD7hKKa5/Bi/w:DJAbZk7/qw8fDP/ryEH0tBy4JjrD1aBy
Score1/10 -
-
-
Target
CatrinePerm/Microsoft.Xaml.Behaviors.dll
-
Size
141KB
-
MD5
3add5efdb77ac86592db53b1a22d41c4
-
SHA1
05cce0b4888b8a4a9d0035a00da792ae2f2f52da
-
SHA256
71e00e2b9ca3088132fc4d54a2076cb07127fe02a5fbc10df8d61cde55dfdbef
-
SHA512
f766aab25e307c5dcca8ae09925e11fb2183e19b5936984c082eb794bd99256bfb0ae2441cc615cac5b358ba259033e397cd718aa63912ef2c9de2cd558d99aa
-
SSDEEP
3072:vq1jbJHF+e2mLqVQhe1d9PrZqYTXx5r1j2u:i1nJwxasnTp
Score1/10 -
-
-
Target
CatrinePerm/Newtonsoft.Json.dll
-
Size
679KB
-
MD5
916d32b899f1bc23b209648d007b99fd
-
SHA1
e3673d05d46f29e68241d4536bddf18cdd0a913d
-
SHA256
72cf291d4bab0edd08a9b07c6173e1e7ad1abb7ab727fd7044bf6305d7515661
-
SHA512
60bd2693daa42637f8ae6d6460c3013c87f46f28e9b0dbf9d7f6764703b904a7c8c22e30b4ba13f1f23f6cbee7d9640ee3821c48110e67440f237c2bb2ee5eb6
-
SSDEEP
12288:1eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQk:10/POdGV5jfW5VnhFyvOB7jW5JMty
Score1/10 -
-
-
Target
Revo_Uninstaller_Pro_5.1.1/RevoUninProSetup.exe
-
Size
16.8MB
-
MD5
ab0d159cbe7e1f7f9adea455506f73b1
-
SHA1
a780054d4721e433387091233fd16c67ecbf3bec
-
SHA256
21a5b0e1ab9d88eec56dcd1c2ff050742d73e87325922e0840502d211b77b22a
-
SHA512
a28fb07060a33405a3d26d92c6479f77e4c403092b71471d0516cb4a431d2af55e48740c14622c6353066f53945ae8185aafb15f15b643ac4254dd26dd157ddc
-
SSDEEP
393216:LwA1pdJwTb+1yXa+v5wfFUSwwV6YWlw9Muo4O9W3XfCX5wRIa4o:MADdJYVNCtUS1VWlwa4O2Xfs5O4o
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
CatrinePerm/SevenZipSharp.dll
-
Size
147KB
-
MD5
05c9849856abc683bcbc5c8d7921c146
-
SHA1
ad8ec49116b026eee2dd04d6434ede7ddce9734d
-
SHA256
49284b31f28d0a62d797cfcf17f464c8c2b22b29d0e8ab7c15c94724d83e595c
-
SHA512
c0bfb5d987fe06eba3a7b0f0c73e24cc74935a8d1efd8a79d64b36c56d498532e453049715fb8c1509eda50a0a2f1213ce67d1edaf6bfcb200e0be58af67ea5e
-
SSDEEP
3072:auMYWaB5+DBS4+aYX/PzJiXyjdZXUtd6uEhd/yZcvdUCG:auMYD7gJY1iXyjb
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3