Overview
overview
10Static
static
10AnyDesk.exe
windows7-x64
1AnyDesk.exe
windows10-2004-x64
1Archevod_XWorm.exe
windows7-x64
10Archevod_XWorm.exe
windows10-2004-x64
10ClickMe.lnk
windows7-x64
8ClickMe.lnk
windows10-2004-x64
8Cmstp.bat
windows7-x64
10Cmstp.bat
windows10-2004-x64
10GoogleChrome.exe
windows7-x64
10GoogleChrome.exe
windows10-2004-x64
10Hidden_Und...on.ps1
windows7-x64
8Hidden_Und...on.ps1
windows10-2004-x64
8Hidden_magic.vbs
windows7-x64
3Hidden_magic.vbs
windows10-2004-x64
7Manage.bat
windows7-x64
1Manage.bat
windows10-2004-x64
1Night_uac/...in.ps1
windows7-x64
8Night_uac/...in.ps1
windows10-2004-x64
8Night_uac/...ge.ps1
windows7-x64
8Night_uac/...ge.ps1
windows10-2004-x64
8Night_uac/...gen.py
windows7-x64
3Night_uac/...gen.py
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/amsi.ps1
windows7-x64
3Night_uac/amsi.ps1
windows10-2004-x64
3Night_uac/command.ps1
windows7-x64
3Night_uac/command.ps1
windows10-2004-x64
3Night_uac/down.ps1
windows7-x64
8Night_uac/down.ps1
windows10-2004-x64
8Night_uac/...gp.ps1
windows7-x64
3Night_uac/...gp.ps1
windows10-2004-x64
3General
-
Target
3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354
-
Size
6.6MB
-
Sample
241018-vxavjs1bnm
-
MD5
ed24b048880a8a2a3b7ac4911a7e81df
-
SHA1
80f631b5481ec48729c3a738dc7ab003b4cd61c1
-
SHA256
3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354
-
SHA512
fab270e82961ecf6c1db9a53eb0dc81b0a3d6251b39421486dfa6e6f20826577c2db0624444de39f8a91465fb5ab1530e5530480cdc9b5b33b8ab260350bfe2f
-
SSDEEP
196608:Xx3sgZH4wNNHmaqTE6kTcSzCkNBcjx3sgZdJ:h8CnDm7HORBcF8CdJ
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Archevod_XWorm.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Archevod_XWorm.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
ClickMe.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
ClickMe.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Cmstp.bat
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Cmstp.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
GoogleChrome.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
GoogleChrome.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Hidden_Undected_CMSTP-Reflection.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Hidden_magic.vbs
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Hidden_magic.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Manage.bat
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Manage.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Night_uac/Uac_main.ps1
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Night_uac/Uac_main.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Night_uac/Uac_stage.ps1
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Night_uac/Uac_stage.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Night_uac/Uac_stage_gen.py
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
Night_uac/Uac_stage_gen.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Night_uac/amsi.ps1
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Night_uac/amsi.ps1
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
Night_uac/amsi.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Night_uac/command.ps1
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
Night_uac/command.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Night_uac/down.ps1
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
Night_uac/down.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Night_uac/payloads/0malm7gp.ps1
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
3.0
topics-junior.at.ply.gg:45283
7K8kkC78j4IfMAr6
-
Install_directory
%AppData%
-
install_file
wininit.exe
Extracted
quasar
1.4.0
Test
scambaiting2022.ddns.net:25565
192.168.1.3:25565
41845399-4858-4791-bd1c-b2526f38e8cc
-
encryption_key
77693888CF811B44AE75658ADBCA8897192A96FF
-
install_name
update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Chrome Update
-
subdirectory
Chrome
Extracted
http://54.208.157.120:80/Night_uac/amsi.ps1
http://54.208.157.120:80/Night_uac/uac.ps1
http://54.208.157.120:80/Night_uac/command.ps1
http://54.208.157.120:80/Night_uac/down.ps1
Extracted
http://54.208.157.120:80/Night_uac/Uac_main.ps1
http://54.208.157.120:80/Night_uac/payloads/9usd7yge.ps1
Extracted
http://54.208.157.120:80/winlogin.exe
Extracted
asyncrat
0.5.7B
Default
16.ip.gl.ply.gg:56795
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:10001
127.0.0.1:9147
windowsddns.duckdns.org:6606
windowsddns.duckdns.org:7707
windowsddns.duckdns.org:8808
windowsddns.duckdns.org:10001
windowsddns.duckdns.org:9147
country-wellness.gl.at.ply.gg:6606
country-wellness.gl.at.ply.gg:7707
country-wellness.gl.at.ply.gg:8808
country-wellness.gl.at.ply.gg:10001
country-wellness.gl.at.ply.gg:9147
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Days Out.exe
-
install_folder
%AppData%
Extracted
njrat
im523
scammer
topics-junior.at.ply.gg:45283
87fbb7d05011dd3c6b564f136007bf19
-
reg_key
87fbb7d05011dd3c6b564f136007bf19
-
splitter
|'|'|
Extracted
quasar
1.4.1
My VM
myownvm.anondns.net:13832
37.120.141.165:13832
server1.trustedvpnservices.com:13832
higradevpn.xyz:13832
071e2576-e94a-492e-8303-baae1cb4641c
-
encryption_key
402F6F1B2F63357285F585A5880FBC2C0F468F55
-
install_name
ShellExperienceHost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Shell Experience Host
-
subdirectory
drivers
Extracted
orcus
Scammers
44.203.122.41:1604
b040a0c11d1a4273bc5428c0c9cb2c5b
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%appdata%\Orcus\explorer.exe
-
reconnect_delay
9000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\AnyDex.exe
Extracted
http://54.208.157.120:80/scambtr_uac/amsi.ps1
http://54.208.157.120:80/scambtr_uac/uac.ps1
http://54.208.157.120:80/scambtr_uac/command.ps1
http://54.208.157.120:80/scambtr_uac/down.ps1
Extracted
http://54.208.157.120:80/scambtr_uac/Uac_main.ps1
http://54.208.157.120:80/scambtr_uac/payloads/fm1ri21p.ps1
Extracted
xworm
3.1
miles-c.at.ply.gg:49826
qzx0AtyVDsrQphps
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
xworm
180.ip.ply.gg:48892
QWgaicbZP6H1puz7
-
install_file
USB.exe
Extracted
http://44.203.122.41:80/Obexe.ps1
Targets
-
-
Target
AnyDesk.exe
-
Size
2.9MB
-
MD5
7cd339f9be1417421acf8790c9738922
-
SHA1
c25eff4d9d2d5b55f1cc4ffc623354004565e8b9
-
SHA256
ec0ec7ce8ef71cb7e7d1c2418c47ad94cea8833db8578ccdf94271f8efed38d3
-
SHA512
f118ea660a51ff38abc20a9ad16f6505cf8a862df1b564829d9af06710e0c4b91d0abbedc4b852696acf0e807a25138d82c2fc518cd54c32dba92f513467b411
-
SSDEEP
49152:vAOdl4d7NHNUb75uEEbOyYWHxL9X5zT/dPUAUA/JH:El8DFWHTN
Score1/10 -
-
-
Target
Archevod_XWorm.exe
-
Size
36KB
-
MD5
95b3c12592ed7de85aeb86fe9c54e23a
-
SHA1
4a6f7b46d077ad0e1dabea9f30efa95c52f79f3d
-
SHA256
50a3d3508c4b826b4e36678dd91b374c339b0c57a89a31cd3e9f5a4441772dc0
-
SHA512
7a1cd098641bbada8ad6015dfa6cb922ed425632eedc9c7b9ef2774b9c81ff74083d6d8549bb708f39f3dae479b53e46eddb068ed457883cd803ce593e50b08a
-
SSDEEP
768:tRmCfIsRkrkdeoQR/auzH9R1acc/FPr9lqO9h52ZL:tRmC8r+uL/EcKFz9lqO9yZL
Score10/10-
Detect Xworm Payload
-
Drops startup file
-
Adds Run key to start application
-
-
-
Target
ClickMe.lnk.download
-
Size
1KB
-
MD5
08b5b3505abb428c860598363761f2e8
-
SHA1
2344992168414c023bd6851d63ea62520770365a
-
SHA256
3ba3c169988a8bc600b58e2ca578e36b48de210bbf058f61b3e7525af01c982d
-
SHA512
1b547c089197aba0dce835de875dbdb2c69ed2e9c2199f10ed767b642935dc1c3f50b1ef0521924459d09942fceac5478cf5a0471f94b7bc06c18da9149a2c4c
Score8/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Cmstp.bat
-
Size
264B
-
MD5
31254e5f0a767dba0d013d83d8949be8
-
SHA1
a5f59a60307eb142d30c3ff14b9b916dce8b3733
-
SHA256
1521435d9d3fb9dc5b08494130f2118b073a6bc6dc233e3ec404225a57b9c4b3
-
SHA512
c97829934e12efe7d8b78c177666ce1fe30c6a77e6617c06f8a0c23cd4a59a1ec625ee3edc72fe512ce79b56e4f3be716be6bd5ab4089b4ccdbb48b5b56a12d1
Score10/10-
Blocklisted process makes network request
-
-
-
Target
GoogleChrome.exe
-
Size
690KB
-
MD5
5818f4fecb0dcc52227035dc0d88830b
-
SHA1
ccda411e1e7c643308f8c643b384ec979c185787
-
SHA256
1416bd55b04a4d8299c3e976e4e6a160850471e330d25f332f70d8ca618de894
-
SHA512
b245d21747c40722fd8c53a8bef3acb17aabce894ec6213547a2554f4c4f168b1d43f9a2f1383f4bfd4ccd436e3034d7aa64c6118aff9d886ea39c05ad7bb81f
-
SSDEEP
12288:jTEgdfY8l6hdV6l4et8klwIdctVdrcdirMBgJS9UOIK3:8UwBD6lbt8ufcVrcdiMCJSuOIK3
-
Quasar payload
-
Executes dropped EXE
-
-
-
Target
Hidden_Undected_CMSTP-Reflection.ps1.bak
-
Size
13KB
-
MD5
39d26ba464405a52eec059c38fde3742
-
SHA1
b8e15337cbdfe46d6c712bf45a381b5a97d30db1
-
SHA256
5812fe6944f400d00f4ab4b4189779c3caddc419c3346842e30c07d238f4d186
-
SHA512
7fb159fbedc68cd0a353534b30cca7f0f6a95f327c69d2a4cc1b7d4c4b591ea893451b18f188d5739873a64c64bd314546a20bb272d76931cee1937a6104e337
-
SSDEEP
384:lc2055WPIbP1ermV2qvkXLuwYiou2tc428QuB:lc2eWgP1UIEuwhom4tQW
Score8/10-
Drops file in System32 directory
-
-
-
Target
Hidden_magic.vbs
-
Size
122B
-
MD5
3e168164fe0f6469cb14efd628bb15de
-
SHA1
d1319d3c0264ee65258982090a8b8e6ea5832169
-
SHA256
acbd157e5546a03b6a1695974294b99f751a4a9ef21dcfc9794da26ee1623a23
-
SHA512
085d64420abf67fbeb394fb229e24fdd0be9139e320d63e9d249275013fee1a352499c985629800f694a4053a41499cc30d3913c1a783c3757804ff81de78439
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Manage.bat
-
Size
289B
-
MD5
3b001f8d88211bf2f64a1fbd7cfc22a4
-
SHA1
f27eec327bc4689848fcda18bf88402d649143c2
-
SHA256
303666e8136c8f5d1471f503dfa7ba32e5ac303f3b758a8af6a80cc7fdd61253
-
SHA512
2a94b1311fad0a408773ec30851f1a68d525b0db9a185865c1faf209eb1e6d8f8768ce35051e245b17e468714e645c2553898a833090e1ccb56db56e9bf2c4c3
Score1/10 -
-
-
Target
Night_uac/Uac_main.ps1
-
Size
895B
-
MD5
550a412ff00f92f90795bec6a8c8286e
-
SHA1
1929e24de6fd883b4f5c191c317b272001a43973
-
SHA256
af1c04051180e61745b676d36bf583a9e95995a810bba71c26d6366fc4eedb6e
-
SHA512
7d29881c6f7f2be8a48bba0b7e7e755a02ae2c648320a9daedb68591f4995323c495d9c5bc4cbb79ad8321d4fdf55774d33d7eaaf36218336576e729ed3e7ade
Score8/10-
Blocklisted process makes network request
-
-
-
Target
Night_uac/Uac_stage.ps1
-
Size
435B
-
MD5
9c0b29cea5533806aee83f5c49fcf6cd
-
SHA1
659155db6497a1d5c1e6fb2dc40b16f63bf0e1db
-
SHA256
e442ae7d9792416c46c134c8587ac7bfd947a6062c4abe9b700f83a5274b72cc
-
SHA512
72e6b4b55a4c16c12408a46b668073d0b09d59a0d4bc0941a33dc6859af8f8358df224f07d7fd2de780945c503c46a7f5cf98e957e4031884e9d0ec497463def
Score8/10-
Blocklisted process makes network request
-
-
-
Target
Night_uac/Uac_stage_gen.py
-
Size
1KB
-
MD5
a68f17114a988b00f30a0eed296733ac
-
SHA1
22c4aa93ce3fc2a191f32359d6fe8c2ffe79dafb
-
SHA256
4d505f1f2b73cf7e857164dfdf1d18a4488f3b593a0ea9a7d051e9d46c15ddaf
-
SHA512
6d1a93c6f0389972477b6841d2e830874fbf45c1dbc446bbdfc884e0c6f69e0cb1dfbb23d0a0fa583d7308eb8cc83199b95eadb77fd84fd5a16db85732d7c96b
Score3/10 -
-
-
Target
Night_uac/amsi.ps1
-
Size
1KB
-
MD5
ab586dd0a3d8dc473e8a12a5a4c6a484
-
SHA1
247455520a6b3706355e6afc4815fc0fbec331c4
-
SHA256
e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3
-
SHA512
898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20
Score3/10 -
-
-
Target
Night_uac/amsi.ps1.bak
-
Size
1KB
-
MD5
ce55b86a579ff526c25fdfeb398fa285
-
SHA1
134fb6ec72f0123f5111333ca6d4c4a9c125cf67
-
SHA256
dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d
-
SHA512
ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f
Score3/10 -
-
-
Target
Night_uac/command.ps1
-
Size
131B
-
MD5
5fe24b6b15d15df6b534a5815b6f0c9d
-
SHA1
b13c4de3c056ab8f96664d66fc2ad3b63278adfe
-
SHA256
e7c87640a365548db623dbbf029aa30b57f6d57e3040695b997d8dc073a35cf8
-
SHA512
ec354dc51d3a6885e0b32ed405becba092581a85d8060a8a901dbe1b41ff1ff55d2ae272a7651e8ef996acc7fd8e643bbec29b6d5d94ee00ab0a229c72457445
Score3/10 -
-
-
Target
Night_uac/down.ps1
-
Size
278B
-
MD5
de07ecbd1be6e54daa4e8eaf6303b157
-
SHA1
d5865ba74f03ccf7c03e27d1399e6b46e85f895e
-
SHA256
ab12c751a1da5db32da6abb02fb8b24a873866b65ec45905db842877c7ff5c8d
-
SHA512
e8bc8f9f272c3ba792779292dd5cc4f64f7092e63de5d58ebe4e13a755000ea2ec195eb7b20c973865728aa0d9bf198e6bf68118533de2f6664185b5e07501da
Score8/10-
Blocklisted process makes network request
-
Drops startup file
-
-
-
Target
Night_uac/payloads/0malm7gp.ps1
-
Size
44B
-
MD5
2d663bdc95565ef04c1d3db0e4bde2f0
-
SHA1
1c1aaa0b478be1cd6732825d73f90168fe7c5790
-
SHA256
80d6bdb1d89d5c6b81f4a09dc469cc5f0a094602ce2241e0d60fd714a7fc9327
-
SHA512
75de1067200dde50a559db01da8f2b4ea22735447ce4a85dae76703a4401213edb6921960aff1fd8de5a8dd86b5d0c071f43ba49592b0993c00fa6bc7980e152
Score3/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1