General
-
Target
Roogue Private.exe
-
Size
7.2MB
-
Sample
240829-2qjbnsxckq
-
MD5
644f88834e5ac39f4ae39e7ae7ac4fe8
-
SHA1
9e6d36935e03c978ce880ee4ffcd35deaa1be257
-
SHA256
c995ee6a0c0f1985859b6d367fd2a2f253d4910272d4600dcb37768cac3db5bf
-
SHA512
aef4ad4713bf3990599c9923923a727136861226b149905fcd12a469bfe689f2fb856efbc45572c938f23649fed5a3ff496840fd558f6dc50929159534d4e2c2
-
SSDEEP
196608:9qOT49D3jWMsQN4bkqrdWuTYAQNYelOat:cZ3irFhTY1lOat
Behavioral task
behavioral1
Sample
Roogue Private.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
xworm
5.0
itsdaddy.zapto.org:7000
itsDaddy.giize.com:7000
GulJwRysiuatwEK4
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
gurcu
https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856
Targets
-
-
Target
Roogue Private.exe
-
Size
7.2MB
-
MD5
644f88834e5ac39f4ae39e7ae7ac4fe8
-
SHA1
9e6d36935e03c978ce880ee4ffcd35deaa1be257
-
SHA256
c995ee6a0c0f1985859b6d367fd2a2f253d4910272d4600dcb37768cac3db5bf
-
SHA512
aef4ad4713bf3990599c9923923a727136861226b149905fcd12a469bfe689f2fb856efbc45572c938f23649fed5a3ff496840fd558f6dc50929159534d4e2c2
-
SSDEEP
196608:9qOT49D3jWMsQN4bkqrdWuTYAQNYelOat:cZ3irFhTY1lOat
-
Detect Xworm Payload
-
StormKitty payload
-
Async RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1