General
-
Target
7ae4f788f2df6be0152e4fd650fc0fa1e8e9fe0a22313d5079e31f4bf197333b
-
Size
8.0MB
-
Sample
240908-b1jgbaxckl
-
MD5
be1b1120e34c4d331bfa43f3cbb527d9
-
SHA1
f268425da36c1334ca3cf5c835d64a479465b431
-
SHA256
7ae4f788f2df6be0152e4fd650fc0fa1e8e9fe0a22313d5079e31f4bf197333b
-
SHA512
51b467fd2a6243a8bc1e218a39dfa13364240921220995f5458df51617c1e2d24ba657a5b68cfcf1824fe42db57e51215a3a0377425efdc172b844c3506f8b28
-
SSDEEP
196608:Rpn2uYzIJ0YEleaoUzEDbmPo8wwVKhKsTc6HnSI2yxE/8+n:RpLkIGYnaOWPVK9TcS1KUa
Malware Config
Extracted
xworm
3.1
includes-ear.at.ply.gg:19669
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5946256736:AAHO4CrAGp_CXtFIt3jYlFOdvAaqBfQV7Qo/sendMessage?chat_id=5319807265
Extracted
quasar
1.3.0.0
update64
site-translations.at.ply.gg:19855
QSR_MUTEX_WJxUvmtxNYm7LGjN3t
-
encryption_key
32vt5jMLvcowHkjxpyew
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
update
-
subdirectory
SubDir
Targets
-
-
Target
c2eb68974fb982502a2f497826f922563d90dfdf32725b44613aa1f957c8d0fd.exe
-
Size
8.2MB
-
MD5
630470e421acd1df856832d7a12b4853
-
SHA1
72d9de36902b6bb8e7b0150c2371a0af341302c3
-
SHA256
c2eb68974fb982502a2f497826f922563d90dfdf32725b44613aa1f957c8d0fd
-
SHA512
6fa9f3887613ded84e53b655f84ca245483649e088e956289f15f9b5c3ad91271c395038ff39ec2dcc23415ab41e8bf8d2514f738b1a470c2e58e92d7763be41
-
SSDEEP
196608:+sYqGogjHX3kH/6PJzxUJNuuSjlSTm0oon51jfHxMOpa+Sq:1sogjnQ61xQYxSTm0rHiWa+S
Score10/10-
Detect Xworm Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3