Overview

overview

10

Static

static

10

SAM X CHEA...k1.exe

windows7-x64

10

SAM X CHEA...k1.exe

windows10-2004-x64

10

Realtek HD...ce.exe

windows7-x64

10

Realtek HD...ce.exe

windows10-2004-x64

10

SAM X CHEA...k1.exe

windows7-x64

6

SAM X CHEA...k1.exe

windows10-2004-x64

6

Windows Sh...st.exe

windows7-x64

10

Windows Sh...st.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SAM X CHEAT crack1.exe

  • Size

    3.1MB

  • Sample

    241119-xr23ysznhz

  • MD5

    82a95b30418e5c4c3cba62b7805b09c9

  • SHA1

    4921781362aae55b41c03f9aafd9e38e4555e5e3

  • SHA256

    3ac3efee88adab86a250a53dd9448453fcc4223662f5c6c21453606b6eb91b77

  • SHA512

    5775e02245ee0158f8f99796edc448a79f580f9c8c6c4188b491084eb9cecf48a341c3231ece8be43e005882a05dfe24dea98aeafbebe3bde0c2ef30cca9dc8b

  • SSDEEP

    49152:opVFMHivibdm/rr3TxQrl18gOCNWofUNRvO3NwSS3Br+BT/KrqqXVbCuuTQjMk4P:KV4K2GTpCNJXWMxKrrlvsQRG9AmB

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:58112

Attributes
  • Install_directory

    %AppData%

  • install_file

    Realtek HD Audio Universal Service.exe

Extracted

Family

xworm

Version

5.0

C2

147.185.221.20:65300

Mutex

RMe1pa1UgjNcB2Un

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Shell Experience Host.exe

aes.plain

Targets

    • Target

      SAM X CHEAT crack1.exe

    • Size

      3.1MB

    • MD5

      82a95b30418e5c4c3cba62b7805b09c9

    • SHA1

      4921781362aae55b41c03f9aafd9e38e4555e5e3

    • SHA256

      3ac3efee88adab86a250a53dd9448453fcc4223662f5c6c21453606b6eb91b77

    • SHA512

      5775e02245ee0158f8f99796edc448a79f580f9c8c6c4188b491084eb9cecf48a341c3231ece8be43e005882a05dfe24dea98aeafbebe3bde0c2ef30cca9dc8b

    • SSDEEP

      49152:opVFMHivibdm/rr3TxQrl18gOCNWofUNRvO3NwSS3Br+BT/KrqqXVbCuuTQjMk4P:KV4K2GTpCNJXWMxKrrlvsQRG9AmB

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Realtek HD Audio Universal Service.exe

    • Size

      53KB

    • MD5

      ce3e5f8613ea049b651549eba3e3aa28

    • SHA1

      1197375be314ae5a69f3b742f0f539b881aca09a

    • SHA256

      9385116a4a3874548ffa027f4cd448d860ef8dc13fc687ce87790a01ede8e73a

    • SHA512

      ab1428177b5ec71447003ac01f5f99d9c7f2af634f17ef53d6f6be196714faac856b0bc3f62b6fad9975dad970ec247d35f56615c62b9ad483426f4ecaae71c2

    • SSDEEP

      768:/63AQe9cfNbv5s7Xol68y+JN/Db3dLPowu7aR6vaTOouhIZqklm:/WAQbdvoolZJ9b3dLPoCR68OnkZ8

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      SAM X CHEAT crack1.exe

    • Size

      3.6MB

    • MD5

      38023663c5bba5e8d46cee0612e57a51

    • SHA1

      fd21a4aafa31ee8ebd851590e0ec79f7996725ac

    • SHA256

      a02b92ae36ca6fdc300a95a3e29d5a824f2f12a91e0bb6a6f499808ac12c816c

    • SHA512

      c8ab8e304d5e224153d8c7822646e9127520929cec32f655b69ea299540e6d824b9b7e57e6dc3c17ce97d6aaf71cda6dd499f9c7f6e59237276f5832a13573f1

    • SSDEEP

      98304:E+woaBHtFIT4bNJFY3Oqtbh+KH4kpc+DX/0Huhd:E+nAbjBHYcKYODtd

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5behavioral6

    • Target

      Windows Shell Experience Host.exe

    • Size

      86KB

    • MD5

      17f122079462e212871a1e2eb20eaff9

    • SHA1

      349e4b54323acce835916a2bbe40dc9c5d30931f

    • SHA256

      f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e

    • SHA512

      95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94

    • SSDEEP

      768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks