Overview

overview

10

Static

static

10

SAMCHEATbypass.exe

windows7-x64

10

SAMCHEATbypass.exe

windows10-2004-x64

10

Realtek HD...ce.exe

windows7-x64

10

Realtek HD...ce.exe

windows10-2004-x64

10

SAM CHEAT bypass.exe

windows7-x64

1

SAM CHEAT bypass.exe

windows10-2004-x64

1

Windows Sh...st.exe

windows7-x64

10

Windows Sh...st.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SAMCHEATbypass.exe

  • Size

    762KB

  • Sample

    241118-xmt7jsspaz

  • MD5

    5dde6a5017cbb35cf1710069cf9be274

  • SHA1

    a2bb6090abf23364d36210c6fc8ac2c28f8234d2

  • SHA256

    83b5438b0b9aebf778440dcb77eb52b0231133487bdb3b372a91523505ab63c2

  • SHA512

    c7584c7feb4a90feb330a4c0a7e13ca1e785bea150873f30d61f420d6c917e9cd24f69fcb9acf2fe5b8aa1218abb6ea6f0ca1e76d01a8c70bcf95dffe279031b

  • SSDEEP

    12288:5MsLc8V26+8XwREFqAgkRnQWTCoA8JmxfBdEAMjAaDvxCxRc:5MsAT89FDL6oLmhYDjXD4Rc

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:58112

Attributes
  • Install_directory

    %AppData%

  • install_file

    Realtek HD Audio Universal Service.exe

Extracted

Family

xworm

Version

5.0

C2

147.185.221.20:65300

Mutex

RMe1pa1UgjNcB2Un

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Shell Experience Host.exe

aes.plain

Targets

    • Target

      SAMCHEATbypass.exe

    • Size

      762KB

    • MD5

      5dde6a5017cbb35cf1710069cf9be274

    • SHA1

      a2bb6090abf23364d36210c6fc8ac2c28f8234d2

    • SHA256

      83b5438b0b9aebf778440dcb77eb52b0231133487bdb3b372a91523505ab63c2

    • SHA512

      c7584c7feb4a90feb330a4c0a7e13ca1e785bea150873f30d61f420d6c917e9cd24f69fcb9acf2fe5b8aa1218abb6ea6f0ca1e76d01a8c70bcf95dffe279031b

    • SSDEEP

      12288:5MsLc8V26+8XwREFqAgkRnQWTCoA8JmxfBdEAMjAaDvxCxRc:5MsAT89FDL6oLmhYDjXD4Rc

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Realtek HD Audio Universal Service.exe

    • Size

      53KB

    • MD5

      ce3e5f8613ea049b651549eba3e3aa28

    • SHA1

      1197375be314ae5a69f3b742f0f539b881aca09a

    • SHA256

      9385116a4a3874548ffa027f4cd448d860ef8dc13fc687ce87790a01ede8e73a

    • SHA512

      ab1428177b5ec71447003ac01f5f99d9c7f2af634f17ef53d6f6be196714faac856b0bc3f62b6fad9975dad970ec247d35f56615c62b9ad483426f4ecaae71c2

    • SSDEEP

      768:/63AQe9cfNbv5s7Xol68y+JN/Db3dLPowu7aR6vaTOouhIZqklm:/WAQbdvoolZJ9b3dLPoCR68OnkZ8

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      SAM CHEAT bypass.exe

    • Size

      1.3MB

    • MD5

      d46bcf5d90966c10fb75419041fae79f

    • SHA1

      9db2c47dd39acd50983c963d370045fcb956d72a

    • SHA256

      edcef9f0255fa29acdfd80bbfb03abea630eb152b19f20fca12fdd88ccf9b399

    • SHA512

      26a241bb87b5abafbba8209135c49163e9ee97ef4f8eaa4dbaf5723b9ce7038b6bdfa9926da29ad3728a854d424168384605c3f494dc29f55249b96adcbe7fb2

    • SSDEEP

      24576:0S4dXDULoWkg4Wjso/0ea76E566/SnkUBY6x9eno8YdO/:v45ULJkkMFlc6qnkUBY

    Score
    1/10
    behavioral5behavioral6

    • Target

      Windows Shell Experience Host.exe

    • Size

      86KB

    • MD5

      17f122079462e212871a1e2eb20eaff9

    • SHA1

      349e4b54323acce835916a2bbe40dc9c5d30931f

    • SHA256

      f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e

    • SHA512

      95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94

    • SSDEEP

      768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks