Overview

overview

10

Static

static

10

rat-virus-...df.exe

windows7-x64

10

rat-virus-...df.exe

windows10-2004-x64

10

rat-virus-...df.exe

windows10-ltsc 2021-x64

10

rat-virus-...df.exe

windows11-21h2-x64

10

rat-virus-...en.exe

windows7-x64

10

rat-virus-...en.exe

windows10-2004-x64

10

rat-virus-...en.exe

windows10-ltsc 2021-x64

10

rat-virus-...en.exe

windows11-21h2-x64

10

rat-virus-...an.exe

windows7-x64

10

rat-virus-...an.exe

windows10-2004-x64

10

rat-virus-...an.exe

windows10-ltsc 2021-x64

10

rat-virus-...an.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rat-virus-DONT-INSTALL-main.zip

  • Size

    276KB

  • Sample

    241203-s6k1rs1pgv

  • MD5

    f911d77f502e7f058f91acdefb066903

  • SHA1

    88584002780fe8cc10d1d27fc398f1f0d383b5a3

  • SHA256

    1470a3336049aa3867b95b23f2671b64eebf2c79fbde95e860c6f592da96d0f7

  • SHA512

    acda500653f12d3163af90f89bc6cb115fb633e172f13bd4d5da71b5dd43f33fe6204eb06149bdb462ed964c43244a3d4dc1854482f1f4c8e77a3065be905230

  • SSDEEP

    6144:XIs3ZouAhKw+dzuGrqDHMmkXLJXR6y5QNWGwiH9UG8T:XPpouIL+dCwbnv6nzOG8T

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

saw-proceedings.gl.at.ply.gg:7021

saw-proceedings.gl.at.ply.gg:16297
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Extracted

Family

xworm

Version

5.0

C2

saw-proceedings.gl.at.ply.gg:16297

Mutex

sr2CYoJagZJqSlDE

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      rat-virus-DONT-INSTALL-main/gfdgdf.exe

    • Size

      196KB

    • MD5

      f1d574a2ce3b45d46845424deb8a40c4

    • SHA1

      eb9001eb8a7c84b8c098e5272e019749212ef6ce

    • SHA256

      b6af30ae56cde74bd4cbdce14c37fbf9926be55f461915b7520c27276b8a1d2e

    • SHA512

      4cddbb15335ad1257ecb99f67f48f9b925156cdea9a8a4aaeda3e7d738109553fb9e1372e7b06cf4249e3275a988a031889cf1b2d139b455b85932e657390e05

    • SSDEEP

      3072:I+o5f+Rd3SfgCkb0PYfUjgOy8A2ewhLapuvpAsZOyMqmyBeYVYO:I+o5fWdiqbjfUD/GWGwqqm1

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2behavioral3behavioral4

    • Target

      rat-virus-DONT-INSTALL-main/ratka_dontopen.exe

    • Size

      197KB

    • MD5

      f43a0c44fc8034439cb6227eb7cfc9f0

    • SHA1

      f1c2414c2a7dfe30245f07f430f3987da627be7b

    • SHA256

      528f537709cc8c2d396961a07f2a264b3ba348db1ab7e6a8d096e7774d7c807b

    • SHA512

      db6e1682d7116113189fd362a388e810e4604964b7250c91a87930918670bae11d84705535ec08b1fcdec4f8066f8b527281fb5ba56f04d940bbf94428b51dcf

    • SSDEEP

      3072:Gne8nSoMNH4kbhuM6+OJSA2ewhLapuvpAsZOyMqmyBeYVYn:Gne8SXlb0a/GWGwqqm1

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5behavioral6behavioral7behavioral8

    • Target

      rat-virus-DONT-INSTALL-main/remota access trojan.exe

    • Size

      169KB

    • MD5

      ca2667182ed67e8256e9a084c29f17b0

    • SHA1

      0c0e38a58ae8cb33af4d99748cc87a38b74ee864

    • SHA256

      0d6f8259f225d360a0a3d2470973faea74f776e75663b36e9eceb6edc0b1fa92

    • SHA512

      53616632672de1497f9b50b761677458369b2934c6d16372f978e695c6b9a9d248a663466c38b888451114f2553232c89059d0ecd854803da17f492af62922e5

    • SSDEEP

      3072:sqaFZ9jFOjCA2ewhLapuvpAsZOyMqmyBeYVYf:sbZ9t/GWGwqqm1

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral10behavioral11behavioral12behavioral9

MITRE ATT&CK Enterprise v15

Tasks