blankgrabber | 11ba97f6d0c8491d14372948dbac71c5a7b24d4f492b9ec1b5afde5c3d5473b7

General

Target

11ba97f6d0c8491d14372948dbac71c5a7b24d4f492b9ec1b5afde5c3d5473b7.zip
Size

7.4MB
Sample

241021-beeagascqq
MD5

d237ad10bfb8932d128cd33ab30e135a
SHA1

211b47dc05eb69d717fd3da0f57c8449073d7e38
SHA256

11ba97f6d0c8491d14372948dbac71c5a7b24d4f492b9ec1b5afde5c3d5473b7
SHA512

d260843d5600838eb6b6ccb4c8cde079c05d79acbecab5c2969fb3e149164f8337f52e45dbad8b16d75e66a7255bb534d207a70e5123904f3aab8432d1b60165
SSDEEP

196608:sSwiLBjnEbHEdTZT0Awc2cZUt2m1B1r+3pyXu/x:twwrEDEZZ0AvPZUZ1B24eJ

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.216.19.12:7000

Mutex

pmb6Tw0klnC0ZY4L

Attributes

Install_directory
%AppData%
install_file
notepad.exe
telegram
https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk

aes.plain

Targets

- Target
  
  autoupts.exe
- Size
  
  7.5MB
- MD5
  
  08d3f972602755f9941054edc2b97d96
- SHA1
  
  7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58
- SHA256
  
  9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206
- SHA512
  
  dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930
- SSDEEP
  
  196608:Iw8PENLjv+bhqNVoB0SEsucQZ41JBbIr11ms:t8PmL+9qz80SJHQK1JG1Ys
Score

10^/10

upx xworm collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2