General

  • Target

    4363463463464363463463463.exe (3).zip

  • Size

    4KB

  • Sample

    241028-xpl9qavfqp

  • MD5

    3a174db0b8ea99669c7c2f96a62ee68f

  • SHA1

    40f1c7874bcd9bbcca93fb4fce4193ffc80d465c

  • SHA256

    2a856237a11dcf14b5f6ffd31ab9902c5b5353399bef296da68e1de8355dbda6

  • SHA512

    a42cb2569c1561c41d3239847144aac9fad14444631a2f80146070f4d23c48c027854afc795611914c99d437db8bc6b2c0052bd387a7a02b1ef7f1ef84d06fb7

  • SSDEEP

    96:IJJw44m9wvvlgV3Ld9tfjUDCe7RptKN9arTvYRkGn52I+nCYH5i:wJwFJvKV3LHtfjQCe7Lq9arsWdI+nCY8

Malware Config

Extracted

Family

xworm

C2

163.5.215.245:9049

Mutex

r3SLo8kx59hai6gX

aes.plain

Extracted

Family

redline

Botnet

Pizdun

C2

94.142.138.219:20936

Attributes
  • auth_value

    20a1f7fe6575c6613ee7cc5d3025af70

Extracted

Family

agenttesla

Credentials

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Receiving + Grabber v6.0.4

Botnet

NewClient

C2

157.20.182.183:4449

Mutex

fsqshvwapaxdhwtdp

Attributes
  • delay

    1

  • install

    false

  • install_file

    Winup.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/43a1723/test/refs/heads/main/shellcode/loaderclient.ps1

Extracted

Family

xworm

Version

5.0

C2

110.164.203.191:7000

Mutex

AExowENWrg3jY19C

Attributes
  • Install_directory

    %Temp%

  • install_file

    windows32.exe

aes.plain

Extracted

Family

phorphiex

C2

http://185.215.113.84

Targets

    • Target

      4363463463464363463463463.exe.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • Modifies security service

    • Phorphiex family

    • Phorphiex payload

    • Phorphiex, Phorpiex

      Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • VenomRAT

      Detects VenomRAT - JaffaCakes118.

    • Venomrat family

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks