Overview

overview

10

Static

static

3

Stake Pred...ke.exe

windows7-x64

1

Stake Pred...ke.exe

windows10-2004-x64

10

Stake Pred...ke.exe

windows7-x64

1

Stake Pred...ke.exe

windows10-2004-x64

1

Stake Pred...64.vbs

windows7-x64

1

Stake Pred...64.vbs

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Stake Predictor V 5.6.zip

  • Size

    317KB

  • Sample

    241104-s637cascra

  • MD5

    7f1895f28572eac0cdd144871e4d199c

  • SHA1

    862c63d81fd329319292b07e01ccc2bbbb5b3127

  • SHA256

    bf28455f877a2145e3f8cbce03043bd2da1bbcf254554c825d0ca7ef44a3ac9e

  • SHA512

    b5c4633d9fc6fe19c338de8d29404d06b885892204e02aab2d359f77520f9c9474a6b1e70b80477615dd370db50f0eb87be0ed86fad32b35f32872c68c70266d

  • SSDEEP

    6144:OICrtq9yqbnKHSHUaNHAl1GTrkgXIyWKhrdniq5JLmjK7WmvHaNZKcA7ui:OIUqbtXHcCQPyWudVJinbtAH

Score
10/10
xwormdefense_evasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

elaablibeh.ddnsgeek.com:333

Mutex

H2uCbv9oDpjhsel0

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Stake Predictor V 5.6/Stake.exe

    • Size

      280KB

    • MD5

      10f238a887ff1f11bedd1f0be61114f9

    • SHA1

      72e46ce52458ed42c97a6d4166a91c7e32e50d76

    • SHA256

      5681579f563c5bb1ad9fdde52af6a6b0f1814b5999173270a4c163f02804ade3

    • SHA512

      95d178c485161f8ee023bb3b76075268d3b58eee17b82983b02415450c97b06da304e1f383a93c8c392817dd2c8ca465bb8aa5f03abdb32843c69cd9f7ec1d1b

    • SSDEEP

      3072:/bkvC5Bs/mTfSfhFLTY6RBWsWDsvs5xgVqaQse/NXyHrenqYgn6+:/bkvC5ByAn1IsbgVYselXyHrYqpX

    Score
    10/10
    xwormdefense_evasionexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      Stake Predictor V 5.6/data/Stake.exe

    • Size

      8KB

    • MD5

      1e1a03c1926def157aba3d0c5c116604

    • SHA1

      d69e4a2fb990142cff4831777e3f57142a934bf0

    • SHA256

      7c8f2a2ffbe4da5c85f2c764b988feceaed2b7fb21049196e8c014fdf9ee934c

    • SHA512

      483fed1453f3ae455cab86ad0d4cf0cc53a6da985f89352c85b4048a52e0978255e073216c0c938faa63815e8c5ad77dd5bc8708446cc1eac6491da93c05ff31

    • SSDEEP

      96:mpjMzQ9XSX5bPBKXcTnw7y3WNtW1jYcFKNVcz1W4oKYMsLYUa:mdMGZcTnky8stYcFwVc03KY

    Score
    1/10
    behavioral3behavioral4

    • Target

      Stake Predictor V 5.6/data/x64.dll

    • Size

      290KB

    • MD5

      3c40023aa09d1d2d2dc0e5ef7a1710f8

    • SHA1

      0f292bd65458445570f55361a3744ebe9e29c7f0

    • SHA256

      796fffd30de115770dd737e02e94cf991c13e5aba34b5cd289c5778054c14b7d

    • SHA512

      1d1164b0c9c2ccfb7bed2417ee1faf3d76698dcacbcb420db704a32c163ce11de9c5d8f664d51d1131efac91593f512daa7f53de6d741447c30d42a1039b042d

    • SSDEEP

      6144:CiLUiLU33YA0cjDtHluVohs5/X27iD6Lu+CgL/goWZl+9IGWZmTA8s:jLNLo3ecTuVloLuQ4oy+92ZsAb

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks