ploutus | 8d022a2eb23de6c1a15af83b3dbb51598e121e8488a1a4c1341e3296857c20c8

General

Target

x360ce.zip
Size

13.2MB
Sample

240901-dbc94szbkm
MD5

4d6d1b271a4c108fce94d992f37ebb50
SHA1

61a8432a7a0b9362ffabaecfe3aef5e42d707830
SHA256

8d022a2eb23de6c1a15af83b3dbb51598e121e8488a1a4c1341e3296857c20c8
SHA512

0117b373e4d8a7f7d8096d65f47862f22e929018dec9b209de3ebdf9ead246b1d4d88d45638a98da52afa79ba1560a878fac259f1877537243c08285528c5d3f
SSDEEP

393216:ZzCn+O7YjNcbB041Yfmn3wjmc1KbRtjh4/j5:9CnYjyBifljQRtG/l

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

elaablibeh.ddnsgeek.com:777

Mutex

Wugv8gU7r5XXjkNh

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  x360ce/data/Reg.data
- Size
  
  14.7MB
- MD5
  
  be80f3348b240bcee1aa96d33fe0e768
- SHA1
  
  40ea5de9a7a15f6e0d891cd1ba4bca8519bb85ed
- SHA256
  
  74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829
- SHA512
  
  dfb3b191152981f21180e93597c7b1891da6f10b811db2c8db9f45bbecc9feb54bc032bdd648c7ad1134e9b09e5e2b9705d5e21294e1ae328a4390350745536a
- SSDEEP
  
  196608:n+/7/fO/vBSVnf+viDyJBwhsCArf+viDyJBQhsCAaIF/f+viDyJBaF9hsCA6EJ0k:nX/vu0Bwhs8vu0BQhsvFOvu0BaF9hsR
Score

4^/10

discovery
behavioral1 behavioral2
- Target
  
  x360ce/data/Reg.dll
- Size
  
  270KB
- MD5
  
  babe69e99dded0a2f1362e596b31c718
- SHA1
  
  5f2cf112eb24a14e701c4adb2a50aab81afda083
- SHA256
  
  94ac046fbe73a603bffed9c3360c66eb87c58025d99e5090ed330e00dbf1d07b
- SHA512
  
  9a3c61b498b05c4a2039aeefb2969436acd3d0245e56fbf728f2eb80f1f9dfcb4012c483678747e8afe99b794e394dfd02347bf8d2f197516c487a53aa204765
- SSDEEP
  
  6144:wTXqI/36A2JEq6AiAlP17338hHxR38GK5d0eKZTuJYYX+360f0eD:wTriA2JuAi6PRmHxF8GmtKhuJP+3CeD
Score

1^/10
behavioral3 behavioral4
- Target
  
  x360ce/x360ce.exe
- Size
  
  162KB
- MD5
  
  d50289d1ba4b88774309b4ca8ee10ea4
- SHA1
  
  b88976f789650c10922c665386ab929c5bf45728
- SHA256
  
  ed6c4a4dabead55eff566e48c9d67865a18fdf90871119b9011f9db523a67d8f
- SHA512
  
  9d682961c698328e545a6fca2b50d6acd33389aca4d8e4b8ee2f24bea7598117b763c8b287e62804e0e4660042d9573150c969dbd651414e62ad32568e877c2f
- SSDEEP
  
  3072:3brZEFa/cwLLd85Ml1hL8nIwbAC1LwcEQkQkLY9nvu1Tno6vG2hwCxXdbqYun6L:3bx/caLd854qn9ECFwcEQWCUTnooG27B
Score

10^/10

xworm defense_evasion execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral5 behavioral6