Overview

overview

10

Static

static

3

fud crypto...AX.dll

windows7-x64

7

fud crypto...AX.dll

windows10-2004-x64

7

fud crypto...en.dll

windows7-x64

1

fud crypto...en.dll

windows10-2004-x64

1

fud crypto...sg.dll

windows7-x64

1

fud crypto...sg.dll

windows10-2004-x64

1

fud crypto...to.exe

windows7-x64

10

fud crypto...to.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fudcrypto.zip

  • Size

    212KB

  • Sample

    241121-b9halsslhm

  • MD5

    8989cf7b833dc53bafc8ec626c3c13d8

  • SHA1

    f5bbc5d9eb758a286de576bfb7b08e79d0bd7acb

  • SHA256

    d074441c881b5ba2b3f238a730edbb942b0dfb97114e1a06ebd4872282a654ef

  • SHA512

    7b373981cf06727207b8177aced9f989270a94635737cc6dbc27c041a3db5559df17987342bcc3d1d3ae8e2770065e27d9eb2c2eb3f92b30f8890a933b03da1e

  • SSDEEP

    6144:B7/IelIkZgzD3ysBmPXjifL7JPkVu0iGty:S6LgzD3oXk7FYJty

Score
10/10
xwormpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

104.234.114.133:1188

Mutex

cbhMMjEG3bxpp43T

Attributes
  • Install_directory

    %Temp%

  • install_file

    system.exe

aes.plain

Targets

    • Target

      fud crypto/AUTHZAX.DLL

    • Size

      67KB

    • MD5

      6d7aaaadf2bb5a485c9af58f73641379

    • SHA1

      0cf59ade584b41a987cd256172633d5f78bdd64d

    • SHA256

      21bd2da73c0fd41e35999b01e695e8187741812a138494ad4b2d3c4e5241937d

    • SHA512

      ce97970c9cd42944c4d08438962297e3215595254776db6d732298984ccd9ee8778ec83b5f39d229d89b6fc4c0d49647a78120fce0acc03fa3bb60ea91cfd6b0

    • SSDEEP

      768:hV2w7WuYlsz1Zha3S0EJaKZf3VcvB/2AgbfViz7/TFFGVOucKfsgx9e3PlYZKO+Q:mwJYKs8XMTf7/TX6e3PYKO+oU795Y

    Score
    7/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral1behavioral2

    • Target

      fud crypto/BCSAutogen.dll

    • Size

      48KB

    • MD5

      16e35e8821dc8d90348f274efa941792

    • SHA1

      698599ee94bf4e4c271e989699e288bbd5fc31e3

    • SHA256

      c37325c2ce7803f93033090a477df7a8588d5a1cdef6cc0cea44e299bf8da989

    • SHA512

      879dd4c8cd4bdf4ffbbb6affd259ff47bf4077e6686808a91b10fc0fdb234139dc3ed69e40ce3ca31f0b0bb1d7ea940fd0b6c0317e0865883eb2283c50abfdc9

    • SSDEEP

      768:OmA/lY8mNiYiVvpT/Ix7Y40DX/AdFepp83LSw2eAOswwbz64cROMi2jpv:mlYH6vdw0/AS+WeAOsfbz64g595

    Score
    1/10
    behavioral3behavioral4

    • Target

      fud crypto/BCSClient.Msg.dll

    • Size

      38KB

    • MD5

      5cb87afc5f4c9c46819d26d8fa3f5c44

    • SHA1

      706c5a662a7dd76cf5ba832fba1835528931d863

    • SHA256

      49871714d54dc38e91777cfb4cdc9117cc7b22693db054851b1992202ba4b7e1

    • SHA512

      eadca1a9437793b4d4fd6eeeab247051b0fd594d94b990d3f7b0328e82bab62282d4d2e93b83e68d0638b6587db7eefd9b87bc2331e05f236e9426e0954889f6

    • SSDEEP

      384:uTKH7lynP81JsaRSJt/KQocMIq8MffHI3rbZKpUMFLXci2jpv3q:uTg7eP81Kast/KzHABuZMi2jpv6

    Score
    1/10
    behavioral5behavioral6

    • Target

      fud crypto/fudcrypto.exe

    • Size

      212KB

    • MD5

      eea17ac368bc01f9f8a3e0103cf5b6e6

    • SHA1

      d4df74f888d9025497c9e4b418c65cfa2c0ab2c0

    • SHA256

      de1d872fa35b4ec1a843db9c63fc7e4590fd3b7b250ab5c6a492630ab68b5886

    • SHA512

      cf297ea8ec540354a22fd046d34f6fc93e74bfe474e4729531263180e4cb35af48c0b6614f5a88c72f0bf767890109eba13c8eca3c9f1f6abaffe7cacabaaccf

    • SSDEEP

      3072:Fm18FOY1Y10lDPANA8nL8U0TaxzKJltDM7t7aAwA9u7m0Vuth4R1:cEDoTnL8hDY7JPCVu0

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks