Overview

overview

10

Static

static

10

Danger-Mul...in.zip

windows10-2004-x64

Danger-Mul...DME.md

windows10-2004-x64

3

Danger-Mul...ts.txt

windows10-2004-x64

1

Danger-Mul...ain.py

windows10-2004-x64

3

Danger-Mul...rd.txt

windows10-2004-x64

1

Danger-Mul...ds.txt

windows10-2004-x64

1

Danger-Mul...rd.txt

windows10-2004-x64

1

Danger-Mul...rd.txt

windows10-2004-x64

1

Danger-Mul...rd.txt

windows10-2004-x64

1

Danger-Mul...11.exe

windows10-2004-x64

9

�4o.��_.pyc

windows10-2004-x64

Danger-Mul...px.exe

windows10-2004-x64

10

Danger-Mul...rt.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Danger-MultiTool-main.zip

  • Size

    8.5MB

  • Sample

    240818-jacvvawakl

  • MD5

    9d7e69eb59178c2c8a5cb30ea2cffb2b

  • SHA1

    077e4230fedb512dee79b8de3a2db4bc1e3861db

  • SHA256

    64cbe38d240af0d473e99da2880b6b24bda99c2e080d743ca70a7c63c6c39082

  • SHA512

    ff918fc2b5863c4425d2b49b0a0737bd7d01973c2547437216608e7527fa8bcbc0d0edb39ac16702efd06cc43fc9e4ef98c1c6ae276baeda3a228ebdd9779d49

  • SSDEEP

    196608:evtyXaw/YhZIINyMGkXmyQscGZ0UDh9eAxcqctMy4yD:eFyqEqIINyMGkXUscGFDh9eAxYlD

Score
10/10
blankgrabberxwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes
  • Install_directory

    %AppData%

  • install_file

    runtime.exe

Targets

    • Target

      Danger-MultiTool-main.zip

    • Size

      8.5MB

    • MD5

      9d7e69eb59178c2c8a5cb30ea2cffb2b

    • SHA1

      077e4230fedb512dee79b8de3a2db4bc1e3861db

    • SHA256

      64cbe38d240af0d473e99da2880b6b24bda99c2e080d743ca70a7c63c6c39082

    • SHA512

      ff918fc2b5863c4425d2b49b0a0737bd7d01973c2547437216608e7527fa8bcbc0d0edb39ac16702efd06cc43fc9e4ef98c1c6ae276baeda3a228ebdd9779d49

    • SSDEEP

      196608:evtyXaw/YhZIINyMGkXmyQscGZ0UDh9eAxcqctMy4yD:eFyqEqIINyMGkXUscGFDh9eAxYlD

    Score
    1/10
    behavioral1

    • Target

      Danger-MultiTool-main/README.md

    • Size

      1KB

    • MD5

      77ff88c3907a1086b83791fb54aa54c7

    • SHA1

      fd6c7e7896651f06dc4cd73c1c13b552f55fbd8d

    • SHA256

      c86adedc84664dbb0daff4ba1593a3280b61cfb55f0c380e4e4f14c19aed66cf

    • SHA512

      935c5a02e9be4177ca87eab8fae76dd2d9e73d30e54fc1f2feab001953b8bb3a6765a9d937d8d22ecff53b291ab4af5cb268fa79cbf824a8b2366bdf7d4ac5ee

    Score
    3/10
    behavioral2

    • Target

      Danger-MultiTool-main/requirements.txt

    • Size

      261B

    • MD5

      89116f1c508bfe1d69dfe6c1c3aa7c2e

    • SHA1

      d2127555fb5e4d5a9de9de23e616494d701e794d

    • SHA256

      6741a5c449f96b03e8f593746283c9fa7313c2adffb13c09eed7fbb76395ad16

    • SHA512

      62f3b3c23bb197bb21740563152415f84b4a3e3330f17fa7019a776cee7fe47fae2d991d746c00cdb29cb7bb7d5347f6ae21bdf3f6876f295edf5301a33da481

    Score
    1/10
    behavioral3

    • Target

      Danger-MultiTool-main/src/main.py

    • Size

      13KB

    • MD5

      c48f27c10efb969ac31147a787860fb9

    • SHA1

      611c119923825407e300cc86ec258669b0224ebd

    • SHA256

      984c5a8704a16386a31fb31f903da7c24a7b67c224906be88039ea15ead84286

    • SHA512

      fd23d04786f93d5e2440912b71d83df15b100e2bd286e68e32cfb7ce23eb9f346c531fe822fc953c1eccbaf6395b63acc7697851ebc608834e5852a15056141c

    • SSDEEP

      384:MG87mbbEB8IXCa7bujRs8pWS+QinACIBadXGxuapdBeYyil4TKl17+Ryf3urqpMG:MG+mba8IXCa7bujRs8pWS+QinACIBad+

    Score
    3/10
    behavioral4

    • Target

      Danger-MultiTool-main/src/utils/Data/Amazon_Gift_Card.txt

    • Size

      1KB

    • MD5

      7a857d2afb2c9b803822c1f4ecfb9be7

    • SHA1

      67fa6ceee37fa88ccc8089193f0f3b99b1106c91

    • SHA256

      f8303217ceeaa1d181a78ade7554b57e3cfb8918fb8b706e81f1c61c0f10bac8

    • SHA512

      1527e33be6c221ea91eb6e3a8a36c82a67518a493b2ad2ad9f542aa6ecee7763d0f61b9bb076a1d036910f8cc1230ec6f4c9bc51b89fda79a2dce28408ddaff0

    Score
    1/10
    behavioral5

    • Target

      Danger-MultiTool-main/src/utils/Data/Ebay_Cards.txt

    • Size

      13KB

    • MD5

      a75c084867cb7ea90b1809d73e997428

    • SHA1

      60d0c9c05f6e56d0f7039a8301215b0298a9cfc4

    • SHA256

      0bd4c12c3571df3c9071f8770d18b33205e29ceaf606fef8c94cb3456b57d780

    • SHA512

      ecb3946a1c9b4122c975745eb8e23149c66035d9a46808914e32b1e8783d3c6536bcd0255e7c10a19ffd86cabc8acc5f0094765d10a72d07b928e08374ed5061

    • SSDEEP

      384:sXRJ8bxeTlrt9nhX0oZHR6VZ2uIxg4Okgh/voRd:SR2bxQD/HR6V0ur4zaXoRd

    Score
    1/10
    behavioral6

    • Target

      Danger-MultiTool-main/src/utils/Data/Fortnite_Gift_Card.txt

    • Size

      1.8MB

    • MD5

      347a97a5fbec1ca04525f7216467e184

    • SHA1

      b62742a8a013057bdf9df6a1db2abb7fb962ed83

    • SHA256

      1b975b6b72f8fd7f592f08d15cd79539a92aabd205b14a22f6484b38c8e41463

    • SHA512

      f6ba75ff6e2368713fa48d4070cbedb141337af80b5d36dbec62de215604e8fbcea465bac5d065519125e273f21adcca9c6b3b7436ac68f99af83fba49bcafc8

    • SSDEEP

      24576:kzDh9nSy4TZzDrW4ZskKtGc668AtBPo5c1YbGvFuxtN1qewnb8xWfXNrHYcR:aDBM0NF9UL1PWfG8

    Score
    1/10
    behavioral7

    • Target

      Danger-MultiTool-main/src/utils/Data/Roblox_Gift_Card.txt

    • Size

      1KB

    • MD5

      882f74e46f473f74fb3172a80c472e6c

    • SHA1

      6e0c6317f2eb0098e6e0fb20a1c9163cdc9b0ef5

    • SHA256

      3c63778bd0caf83f73da7307def2ea96dce114c1c527f4be20ceddb505b996d1

    • SHA512

      1fd3b5eec61cea8128c19ae685e552cde4b24eb7c822e1a484935f85c3d7797e58bd2afd1e8333385dc7e626da2ad8165fa165bc03660dd79b8590fb2cccec36

    Score
    1/10
    behavioral8

    • Target

      Danger-MultiTool-main/src/utils/Data/Steam_Gift_Card.txt

    • Size

      3KB

    • MD5

      5caabfe0e6a2f10e0b0a97f9e683ec26

    • SHA1

      1d34aa37b17ac4ebdf9e924b33efd97d6ebd8428

    • SHA256

      1b7145aa1d99303b2211bfc6a8c01a320fb4a4f30998fee458010b923d8ee559

    • SHA512

      e8ee75260b1731c44b964c98e551ac14e56b5ba29a62c4d671e80b199b3bcba70587f4128b98e62a7bb394ef58b9cec92f6eaaba39c49a4618c5bc4aa4cabb73

    Score
    1/10
    behavioral9

    • Target

      Danger-MultiTool-main/src/utils/__pycache__/cpython-311.pyc

    • Size

      7.4MB

    • MD5

      1a2ff293768d10b8c99d3cd2950164b9

    • SHA1

      e9123a3d2a53b5f8d008db9608037dd0571f3cae

    • SHA256

      3c09a37412bf3981e5d678b6598c2cdad32fcd6761fc649a50693ba45746e242

    • SHA512

      ff8a853675431bc36d88288546d7f467f239ae2e4e7ef019476ac4ca06f715e88f201753d7201dbfacb3b6dca51be764036372de8a8c0def29e00ae5e9469941

    • SSDEEP

      98304:FWeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTfHfyk6LK4dSI23o7yc:FPYmOshoKMuIkhVastRL5Di3tO/ys42O

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral10

    • Target

      �4o.��_.pyc

    • Size

      1KB

    • MD5

      5cd2babd20950cb48630fa3b9da3ca36

    • SHA1

      0393880a2937f9c306ab46d63d8a65638a6c8cac

    • SHA256

      85c21e48e59e603126503a1b4ca5645e84305b6045a0dc0210a5a20070c7f1e7

    • SHA512

      25536f8de19ca0d3cd1dbc776bd9aa72ebdbf3cf3b71c883761b90e8d08858281c5f79a3ddbf2b4d9406024e89f0410a29c3e32f535f214ac3b418a6a6a8fc3d

    Score
    1/10
    behavioral11

    • Target

      Danger-MultiTool-main/src/utils/upx.exe

    • Size

      69KB

    • MD5

      a230d428e97911ce6959e1463d781257

    • SHA1

      0946c13059bf98fd3aacefd0b2681a42b95292cd

    • SHA256

      c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

    • SHA512

      089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

    • SSDEEP

      1536:KWEyI4XFyV0UUIRiZAkupj9bIu9uLhQSOIcoFqXgG:KWnIiyVxRiij9bIYYhdOBuqXz

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral12

    • Target

      Danger-MultiTool-main/start.bat

    • Size

      121B

    • MD5

      c7bda38ca7b6acff98cfce8e087ece33

    • SHA1

      d2d7b7c6757870ef3a7ff3a40678e74176a4676e

    • SHA256

      8caedbf5a91ed11823eb4d35ac84720e692246a17db1dd70e42d1565540d5842

    • SHA512

      7732f4fb081f71bb0a8545a033ddfc35ec6901aec49735926718466d7155f623c482a83871fc3cb9c18fae17c9ce3ee008ea4effb74cce33b7034b8ad0ad0b7a

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral13

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks