Extracted

Extracted

• • Target

    rel/X_ATTACKER-V5.9.exe

  • Size

    162KB

  • MD5

    259ef2a4d3b4a291aacce6cbf3b7c1aa

  • SHA1

    d3361f8a86e11b10b62da75422876415eed9ea5a

  • SHA256

    e993af4d4349bb56f769eda37f8838aeaae0354374ecb63be0cf6f12a1f0bdb8

  • SHA512

    c81dac961497545b1765d7680dd9c2bef678974d5618bebdff5a9a5ad5116449237900f89501317efc6fb952364dd5a33a1a8a068f30dc4973c4fafd0fca467f

  • SSDEEP

    3072:ro1Bl9qSkwP7Hcy22Zngt44GYPvBieBH9apOYIJeO5mxC90Cpfl:ro3l9qY78y2qg2OPvMWIBxC90

  Score

  10^/10

  xwormdiscoveryexecutionrattrojan

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1

• • Target

    rel/data/Cloner.py

  • Size

    8KB

  • MD5

    517b006e06b8ac04ff7329d03dbe58f5

  • SHA1

    e39b926758e6c9e9d096566606688fadd819ae3e

  • SHA256

    d9d0421a2d9fbed20f097d0771e27971cbc8a7df2aa8606acadbbd7a81441d98

  • SHA512

    a15c3a3a437f7f7e213c304908b09da9fc0ae623c39badc1d6247f16f50b03c9a2999475f67e4ca22f5192a461f94c2eb7c1258e69318e6c7c5820904d43a6b8

  • SSDEEP

    192:N8qIHPrTl+Cxh4mclWRPlFSV/WQzgrBAucHkbglNyRc40bPX/OOua:6tHPsO0l6PlF0WLKHWM140bXmOd

  Score

  3^/10
  behavioral2

• • Target

    rel/data/Main.bat

  • Size

    23B

  • MD5

    ceac6187dcc32977d7f7d2989f309857

  • SHA1

    36004b80349e66678b47f962e2c7b05cfcc9c65c

  • SHA256

    84219526eec6e0ddad0355dea2939ed28263006de87b55ade7832fd56d174de8

  • SHA512

    b521843ee9f570b58c141e79264acde8c6d52ed8d60ea0b8ceeae24f0b70d12d9af83beb915de249b617ef2875107af31cc9b433a57f9d9fcf01f03586688e56

  Score

  8^/10

  discovery

  • Blocklisted process makes network request

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  behavioral3

• • Target

    rel/data/Xprocess.exe

  • Size

    37.4MB

  • MD5

    9c3b1bb07553ac1bf8376cf0f23aa0ff

  • SHA1

    f70da1b58976c8c2d165b0cc902ab498c207e699

  • SHA256

    874762aaa8590ad4d3ebf98c043bda90c7fec08d92b39b074d624620224ab634

  • SHA512

    18be89a8159daf172e65fcbdff06b7632283de62248ddf9833c723b8cb0db145795f1fab9779f95897f17762fbb68323adbe18dac36c9677ab572fc293278f92

  • SSDEEP

    786432:ZaAVWfmYQF21QtIY2j6+s7LWB75zuPNua8DZcEW8S8ikemkPL6:ZRWezyiIY2qHWB75iVf6RWxj/mEu

  Score

  7^/10

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  behavioral4

• • Target

    rel/data/boot.bat

  • Size

    833B

  • MD5

    89b0c6ee8d688683c261bca0e27ddc5e

  • SHA1

    4100992f0755b97fcac6338b0e9d6d8a194a64e1

  • SHA256

    0fd0d5a0e7d7e4264e064800166d45b293737f753c58dcce15073171558b812c

  • SHA512

    e7d950728e5a9c885fad1b5496be8b43e59726f6fd5b2253670269f16c42fa5a4659a38a8dae70b08f96d2b371816694c2514c1f581945ab4f61eb1bad1543b5

  Score

  1^/10
  behavioral5

• • Target

    rel/data/bootdis.exe

  • Size

    8.4MB

  • MD5

    4e2fa438d277855a923aab48f270b6a4

  • SHA1

    4d19199b290f44a268d2ed1b0c9a1868d33f168c

  • SHA256

    c7c66838d27a7743e04cf7366ec9363f42335d7875efcbb821160c15a2e76df3

  • SHA512

    0c244ac4a7b7f5655e6c790b34c5d3370af635972b004222215f5fb8120466ddb5ad34916287d8b4677d5054d4bdc5a32b5c0855d0c4a3ce0785f58d48f678c2

  • SSDEEP

    196608:RsmvL13A1HeT39Iigw6QeE9TFa0Z8DOjCdylvRl65nzhQdX109Vu:p5w1+TtIiF0Y9Z8D8CclJoZNI1wu

  Score

  7^/10

  • Loads dropped DLL

  behavioral6

• • Target

    rel/data/copy.bat

  • Size

    28B

  • MD5

    ca4b38cd6d2479b5f37cc00990030a44

  • SHA1

    680a9d895faae8a923d771bc4514a9bf6b64ceb5

  • SHA256

    9fb5731a32df6a766501b0a13e0db2304e9f618bd000cccf8699849d222f53f2

  • SHA512

    1cc19e01ed43bb3049b13e5fbd676273d9354cb1a730119c52dc6384d4f98e712841a051d6c26fad8da9cace9fe3f82a7793e02604d1d80df8cffd4aa9f058aa

  Score

  7^/10

  • Loads dropped DLL

  behavioral7

• • Target

    rel/data/copy/copy.exe

  • Size

    11.0MB

  • MD5

    47c181ebab7a0d53079ffa4f4cdf509b

  • SHA1

    1c1aa2c8fb7423ba8db8cf845c51460be5f06784

  • SHA256

    3fc1daf29264c1350ad1fae45ac36a2bbf1772e3b16c5bb1aece75b7a70cdc4e

  • SHA512

    2d25308b5ed14851de2bb188fd9a3283713fe8d825c9085b7fb77da70d99e578b27ac0a199b9bcfa92954e0869c144323d353b8333fe174d574e218cdae07b0f

  • SSDEEP

    196608:GsIngj1afuXJWIj8KkUx2R4NzhA1HeT39IigwCeE9TFa0Z8DOjCdylippnzu8Qd9:mgx9JWQsUcR4NzK1+TtIiFPY9Z8D8Ccl

  Score

  7^/10

  • Loads dropped DLL

  behavioral8

• • Target

    rel/data/ddos.exe

  • Size

    6.7MB

  • MD5

    ad29751ee5a92ba9db70d6609e347e88

  • SHA1

    cd10ddaa1eff95bfefd66df34c2890b05a75edaa

  • SHA256

    8ac8827fc3512ce4a86379c9daca7af179b34a598a910aa728228b37ea33fa6a

  • SHA512

    bb9bfd5d4800c811836c9f77f07453e186008d39790a3194becad523de8a3b780df7621b5a4d406c77039948b2da86312904abe95dd720d55be26500325a8b24

  • SSDEEP

    98304:dznBoB/8gYCBXITlCXiGFXsw3AXizQLHLXKKh9beFJ:dnBoV8gYCB4Tl2i2cezQLHLXKKr

  Score

  1^/10
  behavioral9

• • Target

    rel/data/emoji.py

  • Size

    6KB

  • MD5

    36a7efb01578c5758ccb30bbdfe1016f

  • SHA1

    65acf6d59fe9c363871c480ea2fbde63e130addc

  • SHA256

    77508c1c5504d2b88a7bbcc3154a1dba82450a21ab84810d90b28a5e50d0aee0

  • SHA512

    0e90a4e42c3465bc7bd4fac1763167617409257b2a86441dac2eb37073972c0186974cf6fed6d731cb2ab46451ed8d156eacd6383dad573bb1461a7327a97e7c

  • SSDEEP

    96:hV1AxA0qGGsAtg4O9hXi8Dg9kEeSu3JEGwVw+9v1eDtGZtHm1UmJVQbk9t5Do96k:hHfWzi6dw++9dIteAEkPdgFcb9IZgA6O

  Score

  3^/10
  behavioral10

• • Target

    rel/data/fixpy.bat

  • Size

    285B

  • MD5

    910cb9b069151db589b044905fd8b398

  • SHA1

    f33a2b67027e1671888b0a8579455d378fbd8ccf

  • SHA256

    a89737ef17fd3a2a6ec89a9d74ed3d0326f6484018f293750875ab51adfb1fd2

  • SHA512

    92640cc1aea4dd9b9b657329e0757e95bd51c3c07e485ec1fc5847b8d855c88bf8dc6915e1f28f10ffccca932ff1dcf5165dc038cc1a5c13738193858aca4890

  Score

  1^/10
  behavioral11

• • Target

    rel/data/install-python.bat

  • Size

    4KB

  • MD5

    05525205f01645c56a9429dac23e9901

  • SHA1

    b5e490ed908b263b9a89ef7305b4e20585f6aaa0

  • SHA256

    c3a0c979f4f3f3c2dca28ff6cd584c3a0af7c6e3026864b7013f76bcff084b99

  • SHA512

    4e66775e5caadd914d744330f5ea1ca65a7638b0e12f37bb8bbcf5410aa51c338edd9d8b13b2521e066b73075a896850abd2709b23e31d53f0051701fd1f45e2

  • SSDEEP

    96:Wy0OhxKWYpV8TCKzCpzTqd2L0VhZEjAoN2bj:Zf1K7L0aZc

  Score

  8^/10

  discovery

  • Downloads MZ/PE file

  • Loads dropped DLL

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory

  behavioral12

• • Target

    rel/data/joiner.py

  • Size

    2KB

  • MD5

    8e7aa76c6b60850ea1309f5ff6f52679

  • SHA1

    57e589f4077f1a9eda5f971f41a9178284ceca86

  • SHA256

    359ff5681c2ff5d2111cd7122b7f90b0c8313b8242bb0972cbe5fc0f5ec1e782

  • SHA512

    00330affd3729fda0ea90256044ec563284aae6f631db04e3fdd48b9673591dc7aedbc147eb1d90d96d566cbeae1b7e0fe0e903899b79ed71dcee0687e7ca27d

  Score

  3^/10
  behavioral13

• • Target

    rel/data/sms.exe

  • Size

    9.3MB

  • MD5

    2fda729af7be83624fe7b5c61d2d36a0

  • SHA1

    68ee34c9d368b0a201f9a574c19fe700974a6563

  • SHA256

    0c2e058f82341a8b2b4460cd0bdbf2ed9156295e5e9a64b68aa320b817f2fb1d

  • SHA512

    869a40de2075764b03720f9a176615a15fd67b69d0e04bdfa1c596f9315ca4aaae1161aadcd1ae47cc23fdb9872e7b7c58f0ee8b00784f2559e3a4664ce2883e

  • SSDEEP

    196608:kL6l5BVpPXNxqVOAyfwK3rQOP5WunF7cdeb/C3UwNRaLJJ2jDa7Gw:k2ldIVdy4afBW62duNJ2aT

  Score

  10^/10

  xredxwormbackdoordiscoveryexecutionpersistencepyinstallerrattrojan

  • Detect Xworm Payload

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred

  • Xred family

    xred

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral14

• • Target

    rel/data/tc.py

  • Size

    6KB

  • MD5

    23b4621b02f541c3988b876e786861f8

  • SHA1

    c7e2746411ba33695ab1680330b7c1f77bd95f40

  • SHA256

    5ec68d594ea66b1b27df581cb2c4a3451994ebf12cc7ad6eb193e381d14d9b51

  • SHA512

    c3c1eb3e322c403ef79192ef1786de999310733a56c356cc27891688929ca74f87a1f4eb861c483ae420773bf5478f2901d841854e2557f8e743010da08c92f5

  • SSDEEP

    192:G2YEn6w+4xIe7+mJV0x4GO1isGkoM4jwdz+zv:B7nz/xL7+1oRoM4i+zv

  Score

  3^/10
  behavioral15

• • Target

    rel/data/wbspam.exe

  • Size

    9.1MB

  • MD5

    2439191ec6705d5ec64a62100c3403b5

  • SHA1

    082d5e6026166c28ce86084a670aeb51fdced867

  • SHA256

    a4baabd02d5098ad2e56769050d9d59f3689e46fa71a08cf25a4f60aed5f6439

  • SHA512

    8f0f1c093ac1988a2d9ea8a068afe130411a96cfe38d64a1ab4a94ec0bb1e5972ba0b78b5ff9422488b966cc15eae468bf41b7981cfff9203f5e37237dbc9b4d

  • SSDEEP

    196608:JsIjLqBA1HeT39Iigw6QeE9TFa0Z8DOjCdyly0l6AnzuQdXM9/xTK:z6q1+TtIiF0Y9Z8D8Ccl9oE6IcxTK

  Score

  7^/10

  discovery

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  behavioral16

• • Target

    rel/fix.bat

  • Size

    29B

  • MD5

    4d5ce73b7f043aa345bb5b38977f699c

  • SHA1

    33b35b1f0a73de87d0de7f4bb4ad88ace170d2b9

  • SHA256

    79fd5cdb5a076d093a62b4970fc5a0719b3a08bf2aabb50a7f04ab08aff1847a

  • SHA512

    111918480b4cd8fd22c9d637e4aae8817a57aa1df3c774a237a402832dac4b62f1e2349031905e950f20a40a5e64074884c988de46b66112cd99021245c86dd1

  Score

  1^/10
  behavioral17

• • Target

    rel/token.bat

  • Size

    39B

  • MD5

    2b2d6a56884b6e296f24477217e6b448

  • SHA1

    c74d2269fd4ce0cdc0117348597158fe316cf08b

  • SHA256

    388dd1226092eb1cb89fa263ddb1e9af5a99f0145c5cd8e0b57507a8b9f9677d

  • SHA512

    d98e998145eae9d166daf606ef60af2f16be39e98a04a7db559dc73f34e35411454bcd1d293ec1c356d07526f75a50fd67f92b99d0ba8af1d61313c610e6aeee

  Score

  7^/10

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral18

• • Target

    rel/token2.bat

  • Size

    30B

  • MD5

    5aae19856a8203edbfeb2f84a470c384

  • SHA1

    c6b7c3eaa9ba2ff015bf8f9e80acfdd05ef8e695

  • SHA256

    2beac54b8d817a264352c1268427d59f4cf26765c3c1277039867894a09108a3

  • SHA512

    ce61df98acb14dbbaed67a1326628d9af90d8c9b9e73c2a43cc8902a70a7699387ff48c2e085c08cad6b648b7f258253b58c2b761d76d0ba29ce5976cbef632c

  Score

  7^/10

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  behavioral19