Extracted

Extracted

• • Target

    26.06.2024/DxHax.1.month.dll

  • Size

    42KB

  • MD5

    fd5791592f821f419276dc41041370f5

  • SHA1

    529345646ace85659476f487b6c41eb3254edbb0

  • SHA256

    db6b4ed4561e8730fda614ae1d213d5ba452353ac06f3c4bd1d896ea1668fa93

  • SHA512

    5f92345c676438930b974c6a702e9129f1398477f28c9d320bf94b4626ec564066d32d287f2d28a2b8cdacb5d6d5722910c75b8bf4d59edfc6866242865551c6

  • SSDEEP

    768:fegDSnBBghmExnQKwYh1uCEkbDLkYleUCIOqaKTsKGDcW:GgDSBBg0ExQKfhb3ST5KoKMc

  Score

  3^/10

  discovery
  behavioral1behavioral2behavioral3behavioral4

• • Target

    26.06.2024/DxHax.exe

  • Size

    9.0MB

  • MD5

    254e6ae77b775c805562a031bc0a1c65

  • SHA1

    843d67a36aa8baf1033c931740f03dd9f77749e1

  • SHA256

    caba4ef02b4c6c301d6ebee2833d23f59dbad37c2cfc8702a4cb31801fdb8284

  • SHA512

    7807054101bff645a3dadd0d70061b812485128ec9eb8c12de0251b2fd65fb1e835006989138afdd8193b8208f912157047ae97416620900b2fb1fbbab819edd

  • SSDEEP

    196608:XIHhCuQfOiZWD/ylAu96GZDd1GmtD0z1rDS/7eDvgrST:mhCuQOwAjGVXGmp0xr87J

  Score

  10^/10

  xwormdefense_evasiondiscoveryevasionexecutionpersistencerattrojan

  • Detect Xworm Payload

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Modify Registry: Disable Windows Driver Blocklist

    Disable Windows Driver Blocklist via Registry.

    defense_evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral5behavioral6behavioral7behavioral8

• • Target

    26.06.2024/System.Net.dll

  • Size

    232KB

  • MD5

    03ea41b17f2c043dc5d161eaab29d21c

  • SHA1

    c404bf4b5b7d1b3610c6a8b11f23e95fea9204a8

  • SHA256

    7c60d637c66956c06731a116e5ab825b6f4c9bc58b641230405bd482262dba97

  • SHA512

    9d0feabef95b42d0ae0b31bd954ee217fc50a43316c15a7f8d7a13ddc35010f43553e95e3bd1b9c2fa50ba3e5ccfe2e70d7285435089a004f502dd684bfc61a2

  • SSDEEP

    3072:u7ab0E4jbe6lwANv9gC/uJs4UZ/6irnCVLgHugGkm046mIDUAwJ5:z4jx/KTUZRDN5

  Score

  1^/10
  behavioral10behavioral11behavioral12behavioral9

• • Target

    26.06.2024/ZGsg7Rz25btLV3b.exe

  • Size

    132KB

  • MD5

    e28df4004f9463f736761ccfb0afafe7

  • SHA1

    9186f568819e064badced9200855707f73d5d52f

  • SHA256

    3ad8a28960058545fb48b29ea57470086db2ef75c1006325b6871c8ea5fd81d2

  • SHA512

    0e7aa2c42690a9ab4d15fff6aed63b4cbc86c2b2aafdeb2be1d5144f3273496d5dd9e70dc6d95815f59347168d5698553f5fe26fa87f1084604e97e19c4f891b

  • SSDEEP

    1536:IUZgwcxiKrCfmPMVYuc0IeH1bF/P3piVQzcCBVclN:IUZ1cxiaUmPMVDccH1bFH32Q/rY

  Score

  10^/10

  asyncratdefaultrat

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  behavioral13behavioral14behavioral15behavioral16

• • Target

    26.06.2024/uninstall.cmd

  • Size

    653B

  • MD5

    fbc297ee9060d4256192e4edb98cad1b

  • SHA1

    f305c065378aec46eb4dacaaeee3f866b1527105

  • SHA256

    099592ffa867124d16c0c6d868af1214fd2b7180fa76e4eee01abf2a5cf8f044

  • SHA512

    c867d366252e5124c6560fbb42ed4473dc7546360bc1221e9fcbc192e9216d6265e41ad26a733f7566c064b136ae02e21ef5f7095fcb6ae6f65b6fbeb3401ffe

  Score

  1^/10
  behavioral17behavioral18behavioral19behavioral20