General
-
Target
Loli-Mod-main.zip
-
Size
3.8MB
-
Sample
241218-yahhnazncp
-
MD5
79993a6a093e42d5428960b6c848562b
-
SHA1
bc2f0a472b573f353634253c4f27f5de07801671
-
SHA256
fb63758b69032986e72f3d9a3e95b651151dce8f4349aa539b65422beef5702a
-
SHA512
3d60502c7ef2d2511f963b7b71ef1bca3b7fad8663214087e69f66b295e75ce7f9c54e587abcee90409a369e36ab79784c20b833cef464ef7a1f955a1c3b5d6c
-
SSDEEP
98304:gydFzGWjLrlEJMiufgWwT2dH1UgbjFKpEc2GfwUzd6FG:gqhuJMimgWwT2dVUgbZ8lnfEg
Malware Config
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
xworm
5.0
GQrSWs3TiKJsppyp
-
Install_directory
%AppData%
-
install_file
COM Surogate.exe
-
pastebin_url
https://pastebin.com/raw/EJ2UmS6u
Targets
-
-
Target
Loli-Mod-main/AsyncClient.exe
-
Size
61KB
-
MD5
a4314ad7e9a2945cf99dd03e9e46f7c1
-
SHA1
326c096e183a17cbc41034c6b6a6917de5347a86
-
SHA256
22639054481629b24309f3ab18f016231ed4f3de6fa6b852598848c1dbe7cf1f
-
SHA512
5787f414ebf281f581e26d21541915897e741995528bb7cc20e5d7c02d8a35e05047cd47e231d3ea389986323ee58039844c075134869a3e63d004c11f08a8c8
-
SSDEEP
1536:X4eepw4Di7A6h8ibi5e2SUbmGU6xqq3WTx:X4eepw4Di73h8ibifSBGDF32x
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
-
-
Target
Loli-Mod-main/Loli Injector.bat
-
Size
4.8MB
-
MD5
9c58972b0a69ec3cd850d541d5a6ccc9
-
SHA1
40fbc45efee38e4c6ff928783825dd8fc43fea42
-
SHA256
5892a004e878334d83c8956fe8a1ee683ed5071a88a89c0fe9a173759573383f
-
SHA512
0d5f60c4121f00c3cca5d8bfeddbf3f3e3a4c7bf5de94a47722b961c4bd652fa43038b12160c7b61b52bcc1eaf554e58a9676f9e84d84dd7e97250b6def35f41
-
SSDEEP
49152:ycTqSBit+t1oEdDxWh3i8oS6h/ReKmSv/W7EXi/I2Mo2A/ZkuSgcajoI8oDwkq:V
Score1/10 -
-
-
Target
Loli-Mod-main/Stage 1.exe
-
Size
151KB
-
MD5
d58b5b6cfcaf63f9dd9015fadf8e8223
-
SHA1
f927a187ca142b03f5dc0c49804fb6eb4425f3f3
-
SHA256
906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f
-
SHA512
cb5d0832d00cd5cf72734425d0bae5039e1356a1da1105af6260468e1420e3207d90fbe09a9019134b0a1d6528ff3f84f2b025d6111cde2364eb255c5c885b47
-
SSDEEP
3072:6J/Rm34y9GUVkpj3KOVgHqMPfKVqcbYA/LzNAtV:6nm34y9D2pj3TgnKVqc0B
Score1/10 -
-
-
Target
Loli-Mod-main/hvnc.exe
-
Size
346KB
-
MD5
040b5cdd9f993144863a239910e4f330
-
SHA1
ffe436c707ecb929731f30022791131144f1cc09
-
SHA256
936c227d57a97478941e754f497760a156691ef7fd7a260832bc72aa38ad56f2
-
SHA512
ef17b7c67c4eed71b0d7a54ff2daf3e386e7c070bf2a08344e0c3d00bac8c9be87e72a129e54196c4045663917ce80cba4e42a22617d38f5a88eed37ec7973c5
-
SSDEEP
6144:KKYO0tJNEenVEtHn3r0M6XiA6nWMh0OWtAuUlabJPOgSU6KIvSx8fCf0X2un:Ki0tJPVEtXxWMaOxu0atm3hc0mC
Score3/10 -
-
-
Target
Loli-Mod-main/y.exe
-
Size
38KB
-
MD5
9212396ec7e75aee632a2304c9050bb3
-
SHA1
ecd187b60d5619ba78ab54bdd43ab9419ca4a72d
-
SHA256
6b82fc5f7ed107648cdb24ebd5f2aa0cff16af9d736ac8455175498a7ad47266
-
SHA512
b00528fa583cbd17b4a7b3f474c8177a288d95ab0f80aca1381434cb15df7fe0b2a9b7d6ea95d4ec55e8ad279f7473db07dde82d1ec408a46cbb60b4e4c5d2a4
-
SSDEEP
768:AXI+D3yb6a5up+I3pHGFyw9/PO6rO/hbPNQU:AnDiHDsEFr9HO6rO/NOU
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1