Overview

overview

10

Static

static

1

Image logger V2.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Image logger V2.bat

  • Size

    29.9MB

  • Sample

    240907-vdbyhatflr

  • MD5

    f9fe001633e62b59eec398eaeb5d9b3c

  • SHA1

    edc9879fab5c9e69eca9814584a3079e93a4339d

  • SHA256

    2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

  • SHA512

    0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

  • SSDEEP

    49152:4JDhbOqBRZaVCQdy5U5CTCxA2HRHt21676CpcIZPxlwmCQ2VjDnMl/6xXh7r9EGV:47

Score
10/10
xwormdefense_evasionevasionexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

since-searching.gl.at.ply.gg:64197

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Targets

    • Target

      Image logger V2.bat

    • Size

      29.9MB

    • MD5

      f9fe001633e62b59eec398eaeb5d9b3c

    • SHA1

      edc9879fab5c9e69eca9814584a3079e93a4339d

    • SHA256

      2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

    • SHA512

      0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

    • SSDEEP

      49152:4JDhbOqBRZaVCQdy5U5CTCxA2HRHt21676CpcIZPxlwmCQ2VjDnMl/6xXh7r9EGV:47

    Score
    10/10
    xwormdefense_evasionevasionexecutionpersistencepyinstallerrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks