Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912

  • Sample

    241114-sc3nqazpcw

Score
10/10
stormkittyxwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

dec-mg.gl.at.ply.gg:58334

147.185.221.23:58334

changes-tiny.gl.at.ply.gg:57342

147.185.221.23:57342

person-bedford.gl.at.ply.gg:27900

147.185.221.23:27900
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Targets

    • Target

      https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_80494648FA815E3F34DE90C838CF07F4E992D60DD39F5ADFFB3590C2E2822FF36758424208C052F528F167A337DEFB238D9E6A3D654E2A68BC7D277CAF7DD1A02FD69CE7D1A741DF654ACAC590A70D64D46005B9C5124C4115BA8681C9936B20C930A12691027B080407C5851E767DF247DB69E4E5A266D671D4B68B0EE28FB9AFF13C4F937A1218C88F437B16EA156D894C1881AF50433E19657FC7F455BFA01E34B532CF18827D3ED0A3EAFCBB7975C3D093A9A4DDD3BDE3F563645FAA5B9093B2C1F4EDD8FA77B2FAB76334F362A937BF6A3D0ADFC14A982B61849E487D283D4507F5A53A4442C5EB6694F69DD091403696B0A7F0181D7430E88098DCF90CCB5793F182D8A85F11F4D1C0B345754C75F3CA7366F094824FA25BBB026C8D012E310804EB0C9F87CE9CEBBFF1B1AE81DB209F378FC57D46F52EC458B4A28699743C00E8836426E55578A1342B20628605753C4AF436A352E338CC483155DCE8DCE9ED53DAC158A3E599B986D2F48254346341C4A5D0D0CFE7AE8F15FEF02F7B2A36A94885579B01990668C0D3B774B53FB6BE2922CDAD9F5F3D1FB9D085C9612004F6948A6D4C349438EEFA3F03A131232F13C799C29F93B745BA6A2A3E2130CBE822E2E7DBEBF6002FFAC23A5444A1B6B6FC8D86DD2E3F2D763EF5C50101EE11C33F2CB31B307C4AEA01C0881ABA1CA165377EBEB705CBD8D5609BED7F2AA59955DDCDBCBDE7EE3FA1067E0419E06FB9694C5357BA1AE08E2CFC359CDD5E8279A3E56FCAE851D67677C0BCE4B64C5E6A9030DFF1B076BADEAA7E3C91518D4111688F3E995837E5BCA643738683C11BACB5728679E1603F229432E61B49DA1AD2E08E82E9803A42BD56A84A4BF94691398DDAA5390CA1BC416E665B63300747D04AC0BDCC423D330260EA4D5F5ED09309F30BAB1D4F402468347090CE9F76FEA7E7366802C2E9ED9E987CFD47F34FE4B227661F4D9481F8AEBC9B056CACF6008D63FA0BB843300644D1E3B08D33242CD29FE9DC6DD67DD72C166083A1F696420F2E14DA4C65A94677E51688214D92D115B39C509E0F0A0E447E462ADB34FAFA2C1A117BC5DD67C3687931AECAE1B74CA2316912

    Score
    10/10
    stormkittyxwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Share Discovery

1
T1135

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

5
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Tasks