General

  • Target

    3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

  • Size

    6.6MB

  • Sample

    241018-vxavjs1bnm

  • MD5

    ed24b048880a8a2a3b7ac4911a7e81df

  • SHA1

    80f631b5481ec48729c3a738dc7ab003b4cd61c1

  • SHA256

    3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

  • SHA512

    fab270e82961ecf6c1db9a53eb0dc81b0a3d6251b39421486dfa6e6f20826577c2db0624444de39f8a91465fb5ab1530e5530480cdc9b5b33b8ab260350bfe2f

  • SSDEEP

    196608:Xx3sgZH4wNNHmaqTE6kTcSzCkNBcjx3sgZdJ:h8CnDm7HORBcF8CdJ

Malware Config

Extracted

Family

xworm

Version

3.0

C2

topics-junior.at.ply.gg:45283

Mutex

7K8kkC78j4IfMAr6

Attributes
  • Install_directory

    %AppData%

  • install_file

    wininit.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Test

C2

scambaiting2022.ddns.net:25565

192.168.1.3:25565

Mutex

41845399-4858-4791-bd1c-b2526f38e8cc

Attributes
  • encryption_key

    77693888CF811B44AE75658ADBCA8897192A96FF

  • install_name

    update.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Chrome Update

  • subdirectory

    Chrome

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://54.208.157.120:80/Night_uac/amsi.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/uac.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/command.ps1

ps1.dropper

http://54.208.157.120:80/Night_uac/down.ps1

Extracted

Language
ps1
Source
URLs
exe.dropper

http://54.208.157.120:80/Night_uac/Uac_main.ps1

exe.dropper

http://54.208.157.120:80/Night_uac/payloads/9usd7yge.ps1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://54.208.157.120:80/winlogin.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

16.ip.gl.ply.gg:56795

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:10001

127.0.0.1:9147

windowsddns.duckdns.org:6606

windowsddns.duckdns.org:7707

windowsddns.duckdns.org:8808

windowsddns.duckdns.org:10001

windowsddns.duckdns.org:9147

country-wellness.gl.at.ply.gg:6606

country-wellness.gl.at.ply.gg:7707

country-wellness.gl.at.ply.gg:8808

country-wellness.gl.at.ply.gg:10001

country-wellness.gl.at.ply.gg:9147

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Days Out.exe

  • install_folder

    %AppData%

aes.plain
aes.plain

Extracted

Family

njrat

Version

im523

Botnet

scammer

C2

topics-junior.at.ply.gg:45283

Mutex

87fbb7d05011dd3c6b564f136007bf19

Attributes
  • reg_key

    87fbb7d05011dd3c6b564f136007bf19

  • splitter

    |'|'|

Extracted

Family

quasar

Version

1.4.1

Botnet

My VM

C2

myownvm.anondns.net:13832

37.120.141.165:13832

server1.trustedvpnservices.com:13832

higradevpn.xyz:13832

Mutex

071e2576-e94a-492e-8303-baae1cb4641c

Attributes
  • encryption_key

    402F6F1B2F63357285F585A5880FBC2C0F468F55

  • install_name

    ShellExperienceHost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Shell Experience Host

  • subdirectory

    drivers

Extracted

Family

orcus

Botnet

Scammers

C2

44.203.122.41:1604

Mutex

b040a0c11d1a4273bc5428c0c9cb2c5b

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\Orcus\explorer.exe

  • reconnect_delay

    9000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\AnyDex.exe

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://54.208.157.120:80/scambtr_uac/amsi.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/uac.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/command.ps1

ps1.dropper

http://54.208.157.120:80/scambtr_uac/down.ps1

Extracted

Language
ps1
Source
URLs
exe.dropper

http://54.208.157.120:80/scambtr_uac/Uac_main.ps1

exe.dropper

http://54.208.157.120:80/scambtr_uac/payloads/fm1ri21p.ps1

Extracted

Family

xworm

Version

3.1

C2

miles-c.at.ply.gg:49826

Mutex

qzx0AtyVDsrQphps

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

180.ip.ply.gg:48892

Mutex

QWgaicbZP6H1puz7

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://44.203.122.41:80/Obexe.ps1

Targets

    • Target

      AnyDesk.exe

    • Size

      2.9MB

    • MD5

      7cd339f9be1417421acf8790c9738922

    • SHA1

      c25eff4d9d2d5b55f1cc4ffc623354004565e8b9

    • SHA256

      ec0ec7ce8ef71cb7e7d1c2418c47ad94cea8833db8578ccdf94271f8efed38d3

    • SHA512

      f118ea660a51ff38abc20a9ad16f6505cf8a862df1b564829d9af06710e0c4b91d0abbedc4b852696acf0e807a25138d82c2fc518cd54c32dba92f513467b411

    • SSDEEP

      49152:vAOdl4d7NHNUb75uEEbOyYWHxL9X5zT/dPUAUA/JH:El8DFWHTN

    Score
    1/10
    • Target

      Archevod_XWorm.exe

    • Size

      36KB

    • MD5

      95b3c12592ed7de85aeb86fe9c54e23a

    • SHA1

      4a6f7b46d077ad0e1dabea9f30efa95c52f79f3d

    • SHA256

      50a3d3508c4b826b4e36678dd91b374c339b0c57a89a31cd3e9f5a4441772dc0

    • SHA512

      7a1cd098641bbada8ad6015dfa6cb922ed425632eedc9c7b9ef2774b9c81ff74083d6d8549bb708f39f3dae479b53e46eddb068ed457883cd803ce593e50b08a

    • SSDEEP

      768:tRmCfIsRkrkdeoQR/auzH9R1acc/FPr9lqO9h52ZL:tRmC8r+uL/EcKFz9lqO9yZL

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Target

      ClickMe.lnk.download

    • Size

      1KB

    • MD5

      08b5b3505abb428c860598363761f2e8

    • SHA1

      2344992168414c023bd6851d63ea62520770365a

    • SHA256

      3ba3c169988a8bc600b58e2ca578e36b48de210bbf058f61b3e7525af01c982d

    • SHA512

      1b547c089197aba0dce835de875dbdb2c69ed2e9c2199f10ed767b642935dc1c3f50b1ef0521924459d09942fceac5478cf5a0471f94b7bc06c18da9149a2c4c

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Cmstp.bat

    • Size

      264B

    • MD5

      31254e5f0a767dba0d013d83d8949be8

    • SHA1

      a5f59a60307eb142d30c3ff14b9b916dce8b3733

    • SHA256

      1521435d9d3fb9dc5b08494130f2118b073a6bc6dc233e3ec404225a57b9c4b3

    • SHA512

      c97829934e12efe7d8b78c177666ce1fe30c6a77e6617c06f8a0c23cd4a59a1ec625ee3edc72fe512ce79b56e4f3be716be6bd5ab4089b4ccdbb48b5b56a12d1

    Score
    10/10
    • Blocklisted process makes network request

    • Target

      GoogleChrome.exe

    • Size

      690KB

    • MD5

      5818f4fecb0dcc52227035dc0d88830b

    • SHA1

      ccda411e1e7c643308f8c643b384ec979c185787

    • SHA256

      1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894

    • SHA512

      b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f

    • SSDEEP

      12288:jTEgdfY8l6hdV6l4et8klwIdctVdrcdirMBgJS9UOIK3:8UwBD6lbt8ufcVrcdiMCJSuOIK3

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Quasar payload

    • Executes dropped EXE

    • Target

      Hidden_Undected_CMSTP-Reflection.ps1.bak

    • Size

      13KB

    • MD5

      39d26ba464405a52eec059c38fde3742

    • SHA1

      b8e15337cbdfe46d6c712bf45a381b5a97d30db1

    • SHA256

      5812fe6944f400d00f4ab4b4189779c3caddc419c3346842e30c07d238f4d186

    • SHA512

      7fb159fbedc68cd0a353534b30cca7f0f6a95f327c69d2a4cc1b7d4c4b591ea893451b18f188d5739873a64c64bd314546a20bb272d76931cee1937a6104e337

    • SSDEEP

      384:lc2055WPIbP1ermV2qvkXLuwYiou2tc428QuB:lc2eWgP1UIEuwhom4tQW

    Score
    8/10
    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops file in System32 directory

    • Target

      Hidden_magic.vbs

    • Size

      122B

    • MD5

      3e168164fe0f6469cb14efd628bb15de

    • SHA1

      d1319d3c0264ee65258982090a8b8e6ea5832169

    • SHA256

      acbd157e5546a03b6a1695974294b99f751a4a9ef21dcfc9794da26ee1623a23

    • SHA512

      085d64420abf67fbeb394fb229e24fdd0be9139e320d63e9d249275013fee1a352499c985629800f694a4053a41499cc30d3913c1a783c3757804ff81de78439

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      Manage.bat

    • Size

      289B

    • MD5

      3b001f8d88211bf2f64a1fbd7cfc22a4

    • SHA1

      f27eec327bc4689848fcda18bf88402d649143c2

    • SHA256

      303666e8136c8f5d1471f503dfa7ba32e5ac303f3b758a8af6a80cc7fdd61253

    • SHA512

      2a94b1311fad0a408773ec30851f1a68d525b0db9a185865c1faf209eb1e6d8f8768ce35051e245b17e468714e645c2553898a833090e1ccb56db56e9bf2c4c3

    Score
    1/10
    • Target

      Night_uac/Uac_main.ps1

    • Size

      895B

    • MD5

      550a412ff00f92f90795bec6a8c8286e

    • SHA1

      1929e24de6fd883b4f5c191c317b272001a43973

    • SHA256

      af1c04051180e61745b676d36bf583a9e95995a810bba71c26d6366fc4eedb6e

    • SHA512

      7d29881c6f7f2be8a48bba0b7e7e755a02ae2c648320a9daedb68591f4995323c495d9c5bc4cbb79ad8321d4fdf55774d33d7eaaf36218336576e729ed3e7ade

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      Night_uac/Uac_stage.ps1

    • Size

      435B

    • MD5

      9c0b29cea5533806aee83f5c49fcf6cd

    • SHA1

      659155db6497a1d5c1e6fb2dc40b16f63bf0e1db

    • SHA256

      e442ae7d9792416c46c134c8587ac7bfd947a6062c4abe9b700f83a5274b72cc

    • SHA512

      72e6b4b55a4c16c12408a46b668073d0b09d59a0d4bc0941a33dc6859af8f8358df224f07d7fd2de780945c503c46a7f5cf98e957e4031884e9d0ec497463def

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      Night_uac/Uac_stage_gen.py

    • Size

      1KB

    • MD5

      a68f17114a988b00f30a0eed296733ac

    • SHA1

      22c4aa93ce3fc2a191f32359d6fe8c2ffe79dafb

    • SHA256

      4d505f1f2b73cf7e857164dfdf1d18a4488f3b593a0ea9a7d051e9d46c15ddaf

    • SHA512

      6d1a93c6f0389972477b6841d2e830874fbf45c1dbc446bbdfc884e0c6f69e0cb1dfbb23d0a0fa583d7308eb8cc83199b95eadb77fd84fd5a16db85732d7c96b

    Score
    3/10
    • Target

      Night_uac/amsi.ps1

    • Size

      1KB

    • MD5

      ab586dd0a3d8dc473e8a12a5a4c6a484

    • SHA1

      247455520a6b3706355e6afc4815fc0fbec331c4

    • SHA256

      e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3

    • SHA512

      898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20

    Score
    3/10
    • Target

      Night_uac/amsi.ps1.bak

    • Size

      1KB

    • MD5

      ce55b86a579ff526c25fdfeb398fa285

    • SHA1

      134fb6ec72f0123f5111333ca6d4c4a9c125cf67

    • SHA256

      dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d

    • SHA512

      ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f

    Score
    3/10
    • Target

      Night_uac/command.ps1

    • Size

      131B

    • MD5

      5fe24b6b15d15df6b534a5815b6f0c9d

    • SHA1

      b13c4de3c056ab8f96664d66fc2ad3b63278adfe

    • SHA256

      e7c87640a365548db623dbbf029aa30b57f6d57e3040695b997d8dc073a35cf8

    • SHA512

      ec354dc51d3a6885e0b32ed405becba092581a85d8060a8a901dbe1b41ff1ff55d2ae272a7651e8ef996acc7fd8e643bbec29b6d5d94ee00ab0a229c72457445

    Score
    3/10
    • Target

      Night_uac/down.ps1

    • Size

      278B

    • MD5

      de07ecbd1be6e54daa4e8eaf6303b157

    • SHA1

      d5865ba74f03ccf7c03e27d1399e6b46e85f895e

    • SHA256

      ab12c751a1da5db32da6abb02fb8b24a873866b65ec45905db842877c7ff5c8d

    • SHA512

      e8bc8f9f272c3ba792779292dd5cc4f64f7092e63de5d58ebe4e13a755000ea2ec195eb7b20c973865728aa0d9bf198e6bf68118533de2f6664185b5e07501da

    Score
    8/10
    • Blocklisted process makes network request

    • Drops startup file

    • Target

      Night_uac/payloads/0malm7gp.ps1

    • Size

      44B

    • MD5

      2d663bdc95565ef04c1d3db0e4bde2f0

    • SHA1

      1c1aaa0b478be1cd6732825d73f90168fe7c5790

    • SHA256

      80d6bdb1d89d5c6b81f4a09dc469cc5f0a094602ce2241e0d60fd714a7fc9327

    • SHA512

      75de1067200dde50a559db01da8f2b4ea22735447ce4a85dae76703a4401213edb6921960aff1fd8de5a8dd86b5d0c071f43ba49592b0993c00fa6bc7980e152

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

testratdefaultscammermy vmscammersxwormquasarasyncratnjratorcusnanocore
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

xwormpersistencerattrojan
Score
10/10

behavioral4

xwormpersistencerattrojan
Score
10/10

behavioral5

execution
Score
8/10

behavioral6

execution
Score
8/10

behavioral7

execution
Score
10/10

behavioral8

execution
Score
10/10

behavioral9

quasartestspywaretrojan
Score
10/10

behavioral10

quasartestspywaretrojan
Score
10/10

behavioral11

execution
Score
8/10

behavioral12

execution
Score
8/10

behavioral13

Score
3/10

behavioral14

Score
7/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

execution
Score
8/10

behavioral18

execution
Score
8/10

behavioral19

execution
Score
8/10

behavioral20

execution
Score
8/10

behavioral21

discovery
Score
3/10

behavioral22

Score
3/10

behavioral23

execution
Score
3/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

execution
Score
8/10

behavioral30

execution
Score
8/10

behavioral31

execution
Score
3/10

behavioral32

execution
Score
3/10