General

  • Target

    retardedrussianspreadingshit.rar

  • Size

    7.8MB

  • Sample

    241120-v4szps1bnq

  • MD5

    2e1d0c1ec49e8a4fe339b203e8f07e2f

  • SHA1

    93f93a69c8749e775dc551c9a21d6c29bc868d2b

  • SHA256

    7a4255ae6f3b241f21c3c85beb25988e665c03675ce8c932e22903973cb6b79f

  • SHA512

    fac2637fb0a918f5b95c727a2b8fe6d244caca4d8911f7959094721bf0dd4d24f408d068d025c9b6e2c034a3e5a00fa0c0f911488450e68377a76ef7ed87a9b1

  • SSDEEP

    196608:V8Vrs1vqnoYa8sWxiEJr3dDF/ctDt/wVTLGL7vo/YDipbgQM4tXJr:V8JssoYa8jBtwb0/Qipbg30t

Malware Config

Extracted

Family

xworm

Version

3.0

Attributes
  • Install_directory

    %Public%

  • install_file

    Utilman.exe

  • pastebin_url

    https://pastebin.com/raw/LqnQsuPh

  • telegram

    https://api.telegram.org/bot7737805452:AAF8gLCy7lakGIkiT8m22TUsfVQMxjiM1wE/sendMessage?chat_id=7044899953

Targets

    • Target

      DarkComet.exe

    • Size

      8.2MB

    • MD5

      c6641cb74bdd9e7f003dc6c9e67e1cab

    • SHA1

      5251c38bfcc670befbb9f8bf77df70edd96ab07b

    • SHA256

      cc38b7bb164fefe0d0d71a17cb09fb055b1cc14c2793ffa6341f70a7425fb249

    • SHA512

      daba3b53a0fa0f0018d259364dfb5a417b00d9ff9688ca38a006a3cfa1ef9e86b4aadb70c444ed14944467024546570367324f71ce100deaaf3f39598ba2e874

    • SSDEEP

      196608:z/pm75SOeWhEbgEpO2QfUG/f5rVcPU/YKdoAVY5pBoEOFD:51/UgQ/9VcPUJBSROl

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Darkcomet family

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks