Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI

  • Sample

    241114-sed35s1djk

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

dec-mg.gl.at.ply.gg:58334

147.185.221.23:58334

changes-tiny.gl.at.ply.gg:57342

147.185.221.23:57342

person-bedford.gl.at.ply.gg:27900

147.185.221.23:27900
Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7517837255:AAFFYwsM3RAJTfnCWwagMLHeBQRG-F4UScg/sendMessage?chat_id=7538845070

Targets

    • Target

      https://cdn.discordapp.com/attachments/1305576456365146163/1306629137149988928/XneoPinCrackerV1.03.exe?ex=67375cb6&is=67360b36&hm=e213b19c808dbed2a865b7eb2ffc745892e24be362d0bab5c5319ca07615cfd0& _|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items.|_24155F12674FEACDAC1D30F2347091310E52249306B388396C6B57E93652228D43B01704E6478FB2DEBD2A696151DD15FF730006E7999D5C40D4BA66ADD05A1AE7018602D8CF75BBCC592A75A0C0F2C563B07462E99E480376C76EDEC208C371099E70AC73AFABCEC10C8136E2D489B455B43698A95979F90724242CC9E9226FF15E459DEE1F9468857BC0EAD561F676BA34DA861F64690A50DB8DD483D66FD3E803E0C759045E86F63B635CF59D7F4A58A11F15A14BCDC20BE4452DD757ECFB68783BF1989536404F2042824B789E9D1070578F073BD70E216254F0CEFC6AB0E2BFA508A7651A9E3D44C96675531214B2DECC0A6EBFD5D9AC72C9FA3A45455BB2C3A9BD7676B4774D9A544CE0345D2451602703A886A8C8A078B88AE5EBF8FCB2E8D4EC00D2CF44856D2C38DC4D30F10A0284186A480AEC02E8580CB1032FC928BFBBB87D7C26E2C8C9F12B8B67F064940009F474AF30A07D051B18C142D93499631B3B84104C04788E76E9B41CE5C7EC7CC7097BD1C0F1E050690B3BC9A272F24A5D0FD92A3AAC7E9B4D260E28830A2F0AC3B27920805B5421657A316BF7EBDC21385A5BE24CD0A6D3788D8640272F2CB5DE7EB65FB22F89C75C0DB56A7C70ED08EED7F6DBEF03587A85969F1867EC2759C829A3F48CCE10037ECCD0C71A003D21BA30B092EAE3C284E9663A7FCDBBE9BB8E48754649582E496152778AEEE0AA1EFFF011BB24E50E9454D668A875824A930558E470617C9CE7720C2A662FBD2A4E9D6DA0B76A61EDC99583693D2A2841A0ADB02F7753EFAA80B9D0B0CE801657D4325CE887BAD3C52F934F6AB01041B268AC0FE086494E27503773252E70B4D53250767F32A19D14BED7B2772BAE165A399A709605004C4239C880DB8C3F24C09D294C1CB2EACB7E7C848729BB55B2D785D8D9238ACA5D3140DF9E6BEED05699AAA17F206A39FC38291531989B8DB3475A0DB4699D0360AE05F907B4B2A09E9C62EE4153B1F6C91534160148F35ADC99173E039ECEAE37414E39BC20044D67360929F3C353D411347F27588F8E650D21D45F601781AFEBC34DDA6FF6E36EE9217716908E232736E53822D1F7D55B2FC76A55A3 https://discord.com/api/webhooks/1306635202000322631/RZjYBAzL9oWlwvRjseb5WY_8BrrbDlxtRJlS6qHFp3QITJ06B1OAzzG8mUBYR57i95cI

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks