Overview
overview
10Static
static
10Dropper/Berbew.exe
windows7-x64
10Dropper/Berbew.exe
windows10-2004-x64
10Dropper/Phorphiex.exe
windows7-x64
10Dropper/Phorphiex.exe
windows10-2004-x64
10RAT/31.exe
windows7-x64
10RAT/31.exe
windows10-2004-x64
10RAT/XClient.exe
windows7-x64
10RAT/XClient.exe
windows10-2004-x64
10RAT/file.exe
windows7-x64
7RAT/file.exe
windows10-2004-x64
7Ransomware...-2.exe
windows7-x64
10Ransomware...-2.exe
windows10-2004-x64
10Ransomware...01.exe
windows7-x64
10Ransomware...01.exe
windows10-2004-x64
10Ransomware...lt.exe
windows7-x64
10Ransomware...lt.exe
windows10-2004-x64
10Stealers/Azorult.exe
windows7-x64
10Stealers/Azorult.exe
windows10-2004-x64
10Stealers/B...on.exe
windows7-x64
10Stealers/B...on.exe
windows10-2004-x64
10Stealers/Dridex.dll
windows7-x64
10Stealers/Dridex.dll
windows10-2004-x64
10Stealers/M..._2.exe
windows7-x64
10Stealers/M..._2.exe
windows10-2004-x64
10Stealers/lumma.exe
windows7-x64
10Stealers/lumma.exe
windows10-2004-x64
10Trojan/BetaBot.exe
windows7-x64
10Trojan/BetaBot.exe
windows10-2004-x64
10Trojan/Smo...er.exe
windows7-x64
10Trojan/Smo...er.exe
windows10-2004-x64
10Resubmissions
12-09-2024 02:23
240912-cvfznswere 1004-09-2024 00:09
240904-afvheascla 1003-09-2024 18:57
240903-xl8csavfrb 1003-09-2024 18:12
240903-ws828asgnm 10Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 18:12
Behavioral task
behavioral1
Sample
Dropper/Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Dropper/Berbew.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Dropper/Phorphiex.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dropper/Phorphiex.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
RAT/31.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
RAT/31.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
RAT/XClient.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
RAT/XClient.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
RAT/file.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
RAT/file.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Ransomware/Client-2.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Ransomware/Client-2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Ransomware/criticalupdate01.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Ransomware/criticalupdate01.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Ransomware/default.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Ransomware/default.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Stealers/Azorult.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Stealers/Azorult.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Stealers/BlackMoon.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Stealers/BlackMoon.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Stealers/Dridex.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Stealers/Dridex.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Stealers/Masslogger/mouse_2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
Stealers/lumma.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
Stealers/lumma.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
Trojan/BetaBot.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Trojan/BetaBot.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
Trojan/SmokeLoader.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Trojan/SmokeLoader.exe
Resource
win10v2004-20240802-en
General
-
Target
RAT/XClient.exe
-
Size
172KB
-
MD5
75ba783757c5b61bd841afa136fc3eda
-
SHA1
8db9cda9508471a23f9b743027fa115e01bc1fe1
-
SHA256
75a8719e83e4aecbe51287d7bfaf1e334fa190c7784324f24bcf61ab984de20a
-
SHA512
9a6cfbf4302336662527837bf60b30b458f8d438bd6e9563093d4948bf81c79d56578e965d836e90aafde553d1cdc9c6df81a254aafcfb3379fbe6405dce0ea1
-
SSDEEP
1536:vJcr5kCyoAp30kaF6CiJzt7UbjFdZe8e6TOAJkU7JsOpysa7iAMI:BcmNNxda6zZUbjHZe8jO6H2OpYuAf
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/2jTT3Lnj
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral7/memory/1032-1-0x0000000001320000-0x0000000001350000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2964 powershell.exe 296 powershell.exe 2728 powershell.exe 2736 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 7 pastebin.com 8 7.tcp.eu.ngrok.io 16 7.tcp.eu.ngrok.io 27 7.tcp.eu.ngrok.io 6 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2964 powershell.exe 296 powershell.exe 2728 powershell.exe 2736 powershell.exe 1032 XClient.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1032 XClient.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 296 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1032 XClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1032 XClient.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2964 1032 XClient.exe 29 PID 1032 wrote to memory of 2964 1032 XClient.exe 29 PID 1032 wrote to memory of 2964 1032 XClient.exe 29 PID 1032 wrote to memory of 296 1032 XClient.exe 31 PID 1032 wrote to memory of 296 1032 XClient.exe 31 PID 1032 wrote to memory of 296 1032 XClient.exe 31 PID 1032 wrote to memory of 2728 1032 XClient.exe 33 PID 1032 wrote to memory of 2728 1032 XClient.exe 33 PID 1032 wrote to memory of 2728 1032 XClient.exe 33 PID 1032 wrote to memory of 2736 1032 XClient.exe 35 PID 1032 wrote to memory of 2736 1032 XClient.exe 35 PID 1032 wrote to memory of 2736 1032 XClient.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RAT\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NYBFBGOIB63ESNZ6GDSD.temp
Filesize7KB
MD5d1ad499e60eb8af262e7d298416bbd67
SHA19157529c625d7e4a38d2b0a5182d532560846cbe
SHA2566e9705a1e5dc4356eaba83b4fee8fa07e410831ee932b30608dc724e1de40aa7
SHA51205e7d5660ec58025707062150c8e4e6f772068ff75a1ec494099f8b9bcbabfa47f173efef75ae71aefe72eb692661a9b0c073cf13eaeb55280b0a22358821b5c