General

  • Target

    Roogue Private.exe

  • Size

    7.2MB

  • Sample

    240829-2qjbnsxckq

  • MD5

    644f88834e5ac39f4ae39e7ae7ac4fe8

  • SHA1

    9e6d36935e03c978ce880ee4ffcd35deaa1be257

  • SHA256

    c995ee6a0c0f1985859b6d367fd2a2f253d4910272d4600dcb37768cac3db5bf

  • SHA512

    aef4ad4713bf3990599c9923923a727136861226b149905fcd12a469bfe689f2fb856efbc45572c938f23649fed5a3ff496840fd558f6dc50929159534d4e2c2

  • SSDEEP

    196608:9qOT49D3jWMsQN4bkqrdWuTYAQNYelOat:cZ3irFhTY1lOat

Malware Config

Extracted

Family

xworm

Version

5.0

C2

itsdaddy.zapto.org:7000

itsDaddy.giize.com:7000

Mutex

GulJwRysiuatwEK4

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

aes.plain
aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7423164379:AAFflVsuq0BrKEG_Lh8KPIRPN6rHeW4a7oo/sendMessage?chat_id=7472532856

Targets

    • Target

      Roogue Private.exe

    • Size

      7.2MB

    • MD5

      644f88834e5ac39f4ae39e7ae7ac4fe8

    • SHA1

      9e6d36935e03c978ce880ee4ffcd35deaa1be257

    • SHA256

      c995ee6a0c0f1985859b6d367fd2a2f253d4910272d4600dcb37768cac3db5bf

    • SHA512

      aef4ad4713bf3990599c9923923a727136861226b149905fcd12a469bfe689f2fb856efbc45572c938f23649fed5a3ff496840fd558f6dc50929159534d4e2c2

    • SSDEEP

      196608:9qOT49D3jWMsQN4bkqrdWuTYAQNYelOat:cZ3irFhTY1lOat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v15

Tasks