Overview

overview

10

Static

static

10

Lime-Multi...in.zip

windows10-2004-x64

10

Lime-Multi...DME.md

windows10-2004-x64

3

Lime-Multi...ts.txt

windows10-2004-x64

1

Lime-Multi...ain.py

windows10-2004-x64

3

Lime-Multi...11.exe

windows10-2004-x64

8

�4o.��_.pyc

windows10-2004-x64

Lime-Multi...rt.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lime-MultiTool-main.zip

  • Size

    8.5MB

  • Sample

    241114-vhkffa1fnh

  • MD5

    2527f8ae11ff8284413efbafd309eebe

  • SHA1

    0448d5f8e6127247cf928e3bc5f8c36a4a6b7166

  • SHA256

    d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

  • SHA512

    7b01d5e244ea7e55f3a0f71d4f2ce3be105b9d268190e9999bb32aca4017a5096b02fb3c04b4826a54906a6005de66ca949b4232f10161b6c4016a6a5d2249bc

  • SSDEEP

    196608:qvtyXaw/YhZIIdyMGkXmyQscGZ0UDh9eAxcqctMy4yU:qFyqEqIIdyMGkXUscGFDh9eAxYlU

Score
10/10
blankgrabberxwormcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

45.83.246.140:30120

Attributes
  • Install_directory

    %AppData%

  • install_file

    runtime.exe

Targets

    • Target

      Lime-MultiTool-main.zip

    • Size

      8.5MB

    • MD5

      2527f8ae11ff8284413efbafd309eebe

    • SHA1

      0448d5f8e6127247cf928e3bc5f8c36a4a6b7166

    • SHA256

      d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

    • SHA512

      7b01d5e244ea7e55f3a0f71d4f2ce3be105b9d268190e9999bb32aca4017a5096b02fb3c04b4826a54906a6005de66ca949b4232f10161b6c4016a6a5d2249bc

    • SSDEEP

      196608:qvtyXaw/YhZIIdyMGkXmyQscGZ0UDh9eAxcqctMy4yU:qFyqEqIIdyMGkXUscGFDh9eAxYlU

    Score
    10/10
    xwormdiscoveryexecutionpersistenceprivilege_escalationrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      Lime-MultiTool-main/README.md

    • Size

      1KB

    • MD5

      ba461e30259957953bf31bf9981e3390

    • SHA1

      0400f423ae2e8fd22cfc785c759135b88e94cdf1

    • SHA256

      a3cbb4f8fba8ac265a4710d94cce6d041e0d0c5ce552f91ecddbee1dbbb4525d

    • SHA512

      e09642771b5e29170789aadf185a88bc86faf810376925d009300c34d96d606eb10a0c0449046c43a15be388102ee8815c645760f9794ef858a6ba60453d0bbc

    Score
    3/10
    behavioral2

    • Target

      Lime-MultiTool-main/requirements.txt

    • Size

      261B

    • MD5

      89116f1c508bfe1d69dfe6c1c3aa7c2e

    • SHA1

      d2127555fb5e4d5a9de9de23e616494d701e794d

    • SHA256

      6741a5c449f96b03e8f593746283c9fa7313c2adffb13c09eed7fbb76395ad16

    • SHA512

      62f3b3c23bb197bb21740563152415f84b4a3e3330f17fa7019a776cee7fe47fae2d991d746c00cdb29cb7bb7d5347f6ae21bdf3f6876f295edf5301a33da481

    Score
    1/10
    behavioral3

    • Target

      Lime-MultiTool-main/src/main.py

    • Size

      10KB

    • MD5

      20bf3cb36efe0d6892662a45305c513b

    • SHA1

      5b07501a82e6fbdbc267f75ad86f5ad9de6b77ab

    • SHA256

      4290ec5465d14f98801de3400e0cb078586b6e27bc4bf6c7a1f87de036e8a6c9

    • SHA512

      d3d719cb129ff20a1a70bc072e30a2fa18f9813631983d3e08882c88859588e13d631ebf22d0e471de3142ac292b7efabc085310d8eecbaa99b8be1245cad83c

    • SSDEEP

      192:MTqreYeTbvBTHF1Z0SQuHaNOVV583zcapKENphISRfm2fT2yUAtCrBC1b8bd4CyD:MToeTbvBTlXCa7bujRs8pWS+QinACIBP

    Score
    3/10
    behavioral4

    • Target

      Lime-MultiTool-main/src/utils/__pycache__/cpython-311.pyc

    • Size

      7.4MB

    • MD5

      1a2ff293768d10b8c99d3cd2950164b9

    • SHA1

      e9123a3d2a53b5f8d008db9608037dd0571f3cae

    • SHA256

      3c09a37412bf3981e5d678b6598c2cdad32fcd6761fc649a50693ba45746e242

    • SHA512

      ff8a853675431bc36d88288546d7f467f239ae2e4e7ef019476ac4ca06f715e88f201753d7201dbfacb3b6dca51be764036372de8a8c0def29e00ae5e9469941

    • SSDEEP

      98304:FWeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTfHfyk6LK4dSI23o7yc:FPYmOshoKMuIkhVastRL5Di3tO/ys42O

    Score
    8/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5

    • Target

      �4o.��_.pyc

    • Size

      1KB

    • MD5

      5cd2babd20950cb48630fa3b9da3ca36

    • SHA1

      0393880a2937f9c306ab46d63d8a65638a6c8cac

    • SHA256

      85c21e48e59e603126503a1b4ca5645e84305b6045a0dc0210a5a20070c7f1e7

    • SHA512

      25536f8de19ca0d3cd1dbc776bd9aa72ebdbf3cf3b71c883761b90e8d08858281c5f79a3ddbf2b4d9406024e89f0410a29c3e32f535f214ac3b418a6a6a8fc3d

    Score
    1/10
    behavioral6

    • Target

      Lime-MultiTool-main/start.bat

    • Size

      30KB

    • MD5

      288f9aa2144276b6994dbf5a69a8da59

    • SHA1

      b860a86ca3c2b0bcd752c05a15d5bd745dfc506a

    • SHA256

      dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4

    • SHA512

      1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f

    • SSDEEP

      48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Process Discovery

1
T1057

Query Registry

5
T1012

Remote System Discovery

1
T1018

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks