Overview

overview

10

Static

static

3

XBinderOutput.exe

windows7-x64

10

XBinderOutput.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    568KB

  • MD5

    43ebcf641eac11f8012145d44733cc0a

  • SHA1

    e1776ddd0a23987ca149e74cccd8e9372b7f27c5

  • SHA256

    c8431f6620fb1f7e2404f33562347d83ad660106659c3143d00f3b699dee454e

  • SHA512

    2379be5b09810007668b11fe58d3d1d575c1f2acd9962803147890a3d32ade8a982584e42d18c08b320043136991014f2f6ed09e8bfb238f555694d859f42aa2

  • SSDEEP

    12288:YP5B0nVtH35fFWAZdfJxLswLlXfUX05oEOj2X0GuI:YP5B0nVnZZJxLxL+SoEl

Score
10/10
phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

rules-views.at.ply.gg:21974

Mutex

Uf6Nl0qMPg6NLqce

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

aes.plain

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Local\Temp\Output.exe
      "C:\Users\Admin\AppData\Local\Temp\Output.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3448
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1972
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFDC9.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:2020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Gazofom.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:376
      • C:\Users\Admin\AppData\Local\Temp\Gazofom.exe
        "C:\Users\Admin\AppData\Local\Temp\Gazofom.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c pause
        3⤵
          PID:1552

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      98baf5117c4fcec1692067d200c58ab3

      SHA1

      5b33a57b72141e7508b615e17fb621612cb8e390

      SHA256

      30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

      SHA512

      344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      62623d22bd9e037191765d5083ce16a3

      SHA1

      4a07da6872672f715a4780513d95ed8ddeefd259

      SHA256

      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

      SHA512

      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ba169f4dcbbf147fe78ef0061a95e83b

      SHA1

      92a571a6eef49fff666e0f62a3545bcd1cdcda67

      SHA256

      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

      SHA512

      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d14ccefeb263594e60b1765e131f7a3

      SHA1

      4a9ebdc0dff58645406c40b7b140e1b174756721

      SHA256

      57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

      SHA512

      2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Gazofom.exe
      Filesize

      121KB

      MD5

      a577b895c0b1235c56cc7c8ab07c7ed9

      SHA1

      fa97fd097968e7465ca7dbad87c145b8a05f0ec5

      SHA256

      681fe60dee1b8a092214eb47364c8885d8797915b95a45341056eae88b74d03f

      SHA512

      cfa2af322eee9b840b06d3049faff1b86a4280dc6ce287a8fd675af4beb69be3e0d1d76d7b794632f10f305ffaeebf523674f4cf0bb9a96b03639f6a91b95300

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Output.exe
      Filesize

      88KB

      MD5

      1d5de6633597e967fa624860a9c11381

      SHA1

      d5b718eb8dc6dd145c9a55a0a697a94cf071492d

      SHA256

      55f04f3aab2ae05b415095b2037ed4fce36c931bdbbd49292f3f3f4e886e5143

      SHA512

      698c2a4428f3768de63e8dc6681d9947386d17827055b1ec446b609a109bc78a6a5239f66aad60b779e67009242e9b117c7c3fe7a7fa9cac9bfb717e1ca7ab29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvsunlhb.y2s.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      Filesize

      554KB

      MD5

      286b036bd6c0997b62a62814557682f2

      SHA1

      e1668d95aafe78ae05a785875295ebc01d7e9b8d

      SHA256

      3957d721c4b3b0b187e938ee685aa978ca30d657217497ed8e511ebef0d23371

      SHA512

      4b18ebffdd5775e933a6e354fae565529c5943b686d9b91a310b4cb3328a3aab39ff9579d169c258c14a42c4fc1293e7773e6d817e69d72481a542462f51182b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      41KB

      MD5

      0048340fff78be30551177578c67992c

      SHA1

      383f3b2aaa956cdc0c9e234206bb826b48c0f2e8

      SHA256

      485b7bf5819e548ad07e9911f2874f40fba29c799bc5f1d71fa3f4d7546f7a79

      SHA512

      14180da6327c37cf434918b95dc12bcf5a1865eb16df58b665f85becbefa4ea94a5c49f631ebbaeb394b789d1310f3ee3b871a93aef13cf6d68adbfd7ce874dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpFDC9.tmp.bat
      Filesize

      159B

      MD5

      43790ca73c8ddc5d85e177f2ec85e48a

      SHA1

      019a012586a70786a9abecbf0358a6cd0d4dbecc

      SHA256

      ff7afbde33712c226b260946d10b1fc3a945bba508fea6808ceffcc5dc329520

      SHA512

      969d0698c9c79a9773ef2e70bf0dac58ebba0dd1b2574410416df89ae0d10fc6af302d38402cc305e17f0c00646f8e73db89d9f174c3e3fc5fb058493698709a

      Download Submit
    • memory/376-39-0x00000145AC290000-0x00000145AC2B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2096-63-0x0000000000780000-0x00000000007A4000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3352-24-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3352-10-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3352-0-0x00007FFE65093000-0x00007FFE65095000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3352-1-0x0000000000480000-0x0000000000514000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3648-64-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3648-27-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3648-23-0x00007FFE65090000-0x00007FFE65B51000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3648-21-0x00000000001E0000-0x00000000001FC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4012-38-0x0000000000520000-0x0000000000530000-memory.dmp
      Filesize

      64KB

      Download