blankgrabber | d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

General

Target

Lime-MultiTool-main.zip
Size

8.5MB
Sample

241113-xgvwws1jam
MD5

2527f8ae11ff8284413efbafd309eebe
SHA1

0448d5f8e6127247cf928e3bc5f8c36a4a6b7166
SHA256

d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c
SHA512

7b01d5e244ea7e55f3a0f71d4f2ce3be105b9d268190e9999bb32aca4017a5096b02fb3c04b4826a54906a6005de66ca949b4232f10161b6c4016a6a5d2249bc
SSDEEP

196608:qvtyXaw/YhZIIdyMGkXmyQscGZ0UDh9eAxcqctMy4yU:qFyqEqIIdyMGkXUscGFDh9eAxYlU

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes

Install_directory
%AppData%
install_file
runtime.exe

Targets

- Target
  
  Lime-MultiTool-main/src/main.py
- Size
  
  10KB
- MD5
  
  20bf3cb36efe0d6892662a45305c513b
- SHA1
  
  5b07501a82e6fbdbc267f75ad86f5ad9de6b77ab
- SHA256
  
  4290ec5465d14f98801de3400e0cb078586b6e27bc4bf6c7a1f87de036e8a6c9
- SHA512
  
  d3d719cb129ff20a1a70bc072e30a2fa18f9813631983d3e08882c88859588e13d631ebf22d0e471de3142ac292b7efabc085310d8eecbaa99b8be1245cad83c
- SSDEEP
  
  192:MTqreYeTbvBTHF1Z0SQuHaNOVV583zcapKENphISRfm2fT2yUAtCrBC1b8bd4CyD:MToeTbvBTlXCa7bujRs8pWS+QinACIBP
Score

3^/10

discovery
behavioral1
- Target
  
  Lime-MultiTool-main/src/utils/__pycache__/cpython-311.pyc
- Size
  
  7.4MB
- MD5
  
  1a2ff293768d10b8c99d3cd2950164b9
- SHA1
  
  e9123a3d2a53b5f8d008db9608037dd0571f3cae
- SHA256
  
  3c09a37412bf3981e5d678b6598c2cdad32fcd6761fc649a50693ba45746e242
- SHA512
  
  ff8a853675431bc36d88288546d7f467f239ae2e4e7ef019476ac4ca06f715e88f201753d7201dbfacb3b6dca51be764036372de8a8c0def29e00ae5e9469941
- SSDEEP
  
  98304:FWeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTfHfyk6LK4dSI23o7yc:FPYmOshoKMuIkhVastRL5Di3tO/ys42O
Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  Lime-MultiTool-main/start.bat
- Size
  
  30KB
- MD5
  
  288f9aa2144276b6994dbf5a69a8da59
- SHA1
  
  b860a86ca3c2b0bcd752c05a15d5bd745dfc506a
- SHA256
  
  dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4
- SHA512
  
  1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f
- SSDEEP
  
  48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral3