Overview

overview

10

Static

static

10

Nursultan ...-0.dll

windows10-2004-x64

1

Nursultan ...-0.dll

windows10-2004-x64

1

Nursultan ...-0.dll

windows10-2004-x64

1

Nursultan ...-0.dll

windows10-2004-x64

1

Nursultan ...ch.dll

windows7-x64

1

Nursultan ...ch.dll

windows10-2004-x64

1

Nursultan ...wt.dll

windows7-x64

1

Nursultan ...wt.dll

windows10-2004-x64

1

Nursultan ...em.dll

windows7-x64

1

Nursultan ...em.dll

windows10-2004-x64

1

Nursultan ...et.dll

windows7-x64

1

Nursultan ...et.dll

windows10-2004-x64

1

Nursultan ...er.dll

windows7-x64

1

Nursultan ...er.dll

windows10-2004-x64

1

Nursultan ...pe.dll

windows7-x64

1

Nursultan ...pe.dll

windows10-2004-x64

1

Nursultan ...nt.dll

windows7-x64

1

Nursultan ...nt.dll

windows10-2004-x64

1

Nursultan ...ss.dll

windows7-x64

1

Nursultan ...ss.dll

windows10-2004-x64

1

Nursultan ...sc.dll

windows7-x64

1

Nursultan ...sc.dll

windows10-2004-x64

1

Nursultan ...11.dll

windows7-x64

1

Nursultan ...11.dll

windows10-2004-x64

1

Nursultan ...as.dll

windows7-x64

1

Nursultan ...as.dll

windows10-2004-x64

1

Nursultan ...rt.exe

windows7-x64

10

Nursultan ...rt.exe

windows10-2004-x64

10

Nursultan ...ur.exe

windows7-x64

10

Nursultan ...ur.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NursultanAlpha.zip

  • Size

    3.2MB

  • Sample

    241221-qfaq1azqar

  • MD5

    19a8805e3588ee9e689672cff8e092b1

  • SHA1

    28b393d298a7f6327608f9a4deed44321859eefa

  • SHA256

    6769f3dcde3cc9f6fb8fd1fb6a37b52221ef79b97d5d4002c44308da7a24b144

  • SHA512

    32a014f6af133487e509e362a156ec5046db58fd8e4eb7ef4b617ef512a1576da4d38bb06c820052a35fc875332f8089677d3c986302be72814d5a28950e972d

  • SSDEEP

    98304:4XqvYTd4WG53jRdbFxwLH6CrP+cKTdN9vChii6TevAF:aqgTdCz74awO7Chi7NF

Score
10/10
dcratxwormdiscoveryexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

22.ip.gl.ply.gg:61996

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot6997638498:AAHa9TMLloZsFrAsEGC8rfuzrK0fiaQAI5Q/sendMessage?chat_id=1031836490

Targets

    • Target

      Nursultan Alpha/api-ms-win-core-datetime-l1-1-0.dll

    • Size

      20KB

    • MD5

      b71c18f8966cead654800ff402c6520f

    • SHA1

      a6f658ea85ad754cf571f7b67f3360d5417f94bd

    • SHA256

      a94b80a5111aabefb1309609abdd300bb626d861cd8e0938b9735ab711a43c22

    • SHA512

      17867aaa57542c1cd989ca3000f3d93bbb959eb5a69100c70c694bde10db8f8422d3e86e1a5fc0848677e4343c424013cdf496b8bb685f8875c3330271242369

    • SSDEEP

      192:CWBhWg8WYnO/VWQ4eWQLoQLCamylqnajP3Txv4:CWBhWgqU7oQ3Jllz3Vv4

    Score
    1/10
    behavioral1

    • Target

      Nursultan Alpha/api-ms-win-core-debug-l1-1-0.dll

    • Size

      20KB

    • MD5

      a998282826d6091984d7d5f0bf476a31

    • SHA1

      b958281ad7b861e0adcbeb0033932057082ae4fc

    • SHA256

      263e038363527b7bed05110f37f7e5b95f82aab9c0280c9c522cf7bfce10fd7d

    • SHA512

      ba46b6e7649cded62e9c097c29d42a8ea3da52109d285b8ed7aaea9a93c203efcfd856d25cee9bd825c0835b37a1d7a37a8ae55e0e10dc237f0da7013056cf5d

    • SSDEEP

      192:6oWBhW6WYnO/VWQ4eW4IUTyvQLCamylqnajP3TxfMuS:6oWBhWQUVGvQ3Jllz3V/

    Score
    1/10
    behavioral2

    • Target

      Nursultan Alpha/api-ms-win-core-errorhandling-l1-1-0.dll

    • Size

      20KB

    • MD5

      c148a26d3d9d39777dabe28dc08cee60

    • SHA1

      4f7537ba8cee5ff774f8d7c3fe4174fc512b70d4

    • SHA256

      085968d938ea924827c4740697713674850218a8fe91dd9982e93b0effacc820

    • SHA512

      6689dfb19898f420632295fb9982668919011784278dc6840716c91ca8dcb434057096640a15fab7a93edf722530451da274d02bb344cd429388412ad11a79e0

    • SSDEEP

      192:IcmxD3mTWBhWnWYnO/VWQ4eWFsz2cA5E8qnajTwgYWmlgF:BVTWBhWXUT2x5E8lvwzWC

    Score
    1/10
    behavioral3

    • Target

      Nursultan Alpha/api-ms-win-core-handle-l1-1-0.dll

    • Size

      20KB

    • MD5

      f90e3b45c7942e3e30ecf1505253b289

    • SHA1

      83beec2358de70268bc2e26ed0a1290aaef93f94

    • SHA256

      7e45a1b997331f4d038f847f205904d6ec703df7a8c5c660435697e318ced8fc

    • SHA512

      676450eb70a5ceae1820a978412ef3df746f14790322122b2de3e18ef013802c27867ad315950fc9b711e66f36628b062e57a7ec44d1ddc06f443655383cdc14

    • SSDEEP

      192:T9vBWBhWKWYnO/VWQ4SW9L91fzcA5E8qnajTwggW:TDWBhWgUE99x5E8lvwbW

    Score
    1/10
    behavioral4

    • Target

      Nursultan Alpha/attach.dll

    • Size

      28KB

    • MD5

      d1d6f41c54cabcfeba09607982554e42

    • SHA1

      0a505ff3a3556c3ea8af61e00e1c1a45c11a96ea

    • SHA256

      ec90351fed2c2bd9a38d70d48f2d04c2812f3f6c11c149804a924df2ad629065

    • SHA512

      4a23e45d2dd1deded0c45e15ed5ecb193a3f7bdde2d6fa167125e3d2fddfb21988d4005fd0c990109a8c47605a1791627c1e10a786f4b0881743c67e28b9eb9c

    • SSDEEP

      384:FBwarWLBni1EP/6Jt0HXi/krkXIsIYidvjaAM+o/8E9VF0NyJ58:IiUBi1EaEk49Yi0AMxkE18

    Score
    1/10
    behavioral5behavioral6

    • Target

      Nursultan Alpha/awt.dll

    • Size

      1.4MB

    • MD5

      a5e35f0865086301569cfa6d95002840

    • SHA1

      9d5c01509ac323b0632335127bd76ffd52a892b0

    • SHA256

      367b7013e95ccf8d2164b05b0866b18bda07722f96587558f409aac7ae59e5b8

    • SHA512

      0cd18a3e60c501dd2326e22cf7c4e9e525d61282ec64f6fe3c2878ba714da7065ed70d132cb07b48e258955a759d37c1b3f912b97f92f720de6b615c74d41de7

    • SSDEEP

      24576:dYo+TXddw57KUODOL7ySNxJ1u0XYwDsAbU7ksVLlWWu2QEHrxa4fGKHm:ePTXdI7YMmnwDsAg7ksVLlW92QfEm

    Score
    1/10
    behavioral7behavioral8

    • Target

      Nursultan Alpha/dt_shmem.dll

    • Size

      36KB

    • MD5

      662c3d0a58aea143d2fff33f007d2ce5

    • SHA1

      ac71b3e0aeab5b0834eff202d67701c5be1e031f

    • SHA256

      95b94c2d3ce1e335f87dd6bfc04176dfe0ae89aa991d9ba08cef5e59c54ea0a7

    • SHA512

      6df5683ffdf49d0f7577d13e0d897aaf3a2e0c4f9ea3004258d03f1252ebc3073f4246d95b267735cca8436109270b41e5fb619d5d1ef9e0c88da06379806f64

    • SSDEEP

      768:tcCtsAywCYINEJk4m7EfFcOZIeYi8AMxkEoRzyn:tcCRVLm7EfFcOZIe7axt

    Score
    1/10
    behavioral10behavioral9

    • Target

      Nursultan Alpha/dt_socket.dll

    • Size

      35KB

    • MD5

      ab07b5e49263290445cda99d725cd8cc

    • SHA1

      efda2df2c041c09c7068cfda85d6853d32aac0d0

    • SHA256

      d0c6d2f495e5d018e5adc8be931bbf8aef62a53dd669d45871032b73ea2d436f

    • SHA512

      7317ee0a75f8021b078ca483cfcc21430217a26f7f8637a16871655469221ace99d6523d5f77da0e96fcef5410f12deb476d8e41bc32d6fbeb58012c1af0b24a

    • SSDEEP

      768:s4uJtgobBJVtQxHIlH7gmKblIdhYi4FAMxkEv:s4uJtgFxqHwedh749xT

    Score
    1/10
    behavioral11behavioral12

    • Target

      Nursultan Alpha/fontmanager.dll

    • Size

      826KB

    • MD5

      63f7536ad3d0eafa0d844fca44d8c05c

    • SHA1

      4c9756bc4024cc1abcddfc3997ad24755e6728cf

    • SHA256

      939db275516410ed38c9b5394fc331de581e808988a95c6fdbff72d1889c96f6

    • SHA512

      ab5e1b5647b570b7be7fe97b9ed171ffe7290769ffe129266f1a71824d6c0bb3a8b16339bfde0cb24a6067044728a01400230ff4bf174e32bcc2103f0a6f04e7

    • SSDEEP

      12288:WJkvW0/a/aOmhWOK/Xx4NoZ4qknRof8llcwxXzeC:80/kmcj/XiSZ4X26lcEXiC

    Score
    1/10
    behavioral13behavioral14

    • Target

      Nursultan Alpha/freetype.dll

    • Size

      536KB

    • MD5

      ff1ce3471c79a306059fddca3a853a00

    • SHA1

      b7f1e72a2cbfb8d3217f7a5c2b6ad374c6b1e3e2

    • SHA256

      951181210d554b4db1b638345eb30457ad11c8b625b283b0df86f67141ae3059

    • SHA512

      d5d6e187888f676d3582440d86e1e3d7ca5ef79d4cecbe1263702646c96c5691c43553002457cc8921e1fd8987717663c58601adf4e5ae80909988198d7fc34c

    • SSDEEP

      12288:KhADVG7gNFjnG43BGCGl3cgrifEWm35sbBxuD:KhQGWi43BGDPZ35ME

    Score
    1/10
    behavioral15behavioral16

    • Target

      Nursultan Alpha/instrument.dll

    • Size

      50KB

    • MD5

      a27ae7661d6e58a3d7d9b242c2f30b3f

    • SHA1

      80701d86898d1bf6c825392db754884263f2df1b

    • SHA256

      9e0149f61de1fda5856cc5ebedc2e268fb6967fcd1c41559ec2d368a0d6ee593

    • SHA512

      fa88fd46faf4b5ab57b70cd327453c3be01a3874384b4fd37e10be36ec1e67eeceb5473459aa08ab8a74d8526f21a2bb0720782efa5ab6761512239379843bc7

    • SSDEEP

      768:xUMt5X6J4NQRdnDm7KtNvIdqIE24sh/DvFkE1tV35TYiQAMxkEZ:yVJOZdqIDvmELVJT7+x9

    Score
    1/10
    behavioral17behavioral18

    • Target

      Nursultan Alpha/j2gss.dll

    • Size

      49KB

    • MD5

      3e06f0d75815a429e77cfa42519dff51

    • SHA1

      46101f04e49cea2f9ca513a14d6e1907dd7746ed

    • SHA256

      943f9a48599b46db5ddc9337107844e22e8228f221807c2b606f30b7c3d6329a

    • SHA512

      39a6886ba6f851658e68fa83d7f97d6ca991332ae4c8a4b0bbfa0f62e892ed7aa8d1868741310757b333f1178084c1c1eb3d065e428a2f7da3c18f3afa44062a

    • SSDEEP

      1536:FSx2TnHUwCK3CEgCG+YDU1MK27xb74zx9m:B0e27xbUm

    Score
    1/10
    behavioral19behavioral20

    • Target

      Nursultan Alpha/j2pcsc.dll

    • Size

      25KB

    • MD5

      8817f56b6f4c48e211cee2c4c5560e54

    • SHA1

      f90644c91512a1436027df0705523a1c3fa770d8

    • SHA256

      15edf17174b74ed031a951139a0855faae3758bc02e6a68126e46fe223eff73a

    • SHA512

      74057452e10371cc87e3c1cdc2f29dd624880179ec332eee872190cc71efc601017a9efeaba2e2cb75b9de483fe86fefc66b1717e1f9bfff9a79484543b99116

    • SSDEEP

      384:Ys83Idkz6D8jbOlEt8TqYHgDg+IOD2Kc7rIn4IYidvjydxAM+o/8E9VF0Ny+lmT:YsRSz6WKBqYsQ7snhYikdxAMxkEKmT

    Score
    1/10
    behavioral21behavioral22

    • Target

      Nursultan Alpha/j2pkcs11.dll

    • Size

      76KB

    • MD5

      b94e2d29532d6d96ad9b84ea27b38ba8

    • SHA1

      acf990da850ef4c80fb0cd2e269fc43bd9c17525

    • SHA256

      f29758848a2a27b972769be54840c515785a6af1c0a428b2cc105a33bbc3df03

    • SHA512

      79f074f90ddbf1ccb57e94c4089f53209bc3f94859c3c642534f4f5bb761e33b980aafd275642729253217c10c2b27ba82c869ae15d5113c91538b6c9d1bea90

    • SSDEEP

      1536:i0QNmKjarmtseeV59vOq2W3MWiV7UsEayNqxV6FSP59XvhRFPSe3i3NsqVolyHb3:D4mKermtseeRWq2W3MWidpyDHtX7mm

    Score
    1/10
    behavioral23behavioral24

    • Target

      Nursultan Alpha/jaas.dll

    • Size

      27KB

    • MD5

      9698151ea41b729942072646aa2b145e

    • SHA1

      4159e7248b594a59606eece15566b04c3b7cfe3e

    • SHA256

      c96e295149f0880aa8f4abd01ddec38a18c88d47616b3552aa6db777f6b31f4c

    • SHA512

      48b07ef1cc96aa2fafedf8edddf050111df819ae46d1eb80886beb8320230bca4fc294d9c3745b25aea8569c5757180e85e8be7b7b4606f5085395ff5beec14f

    • SSDEEP

      384:E4fwOnuGpnO0+12KKFSk11Q/bxGzmsAIYidvjm8AM+o/8E9VF0NyUVV:HIGpRaK8k11SGCMYi48AMxkEqV

    Score
    1/10
    behavioral25behavioral26

    • Target

      Nursultan Alpha/start.bat

    • Size

      2.3MB

    • MD5

      c473326baa0562bc1081ac3fff5fadab

    • SHA1

      79ae481230a4aeb89232b60bb015c7f376cd70d7

    • SHA256

      66058290e904b349c68a65b6deac3875acf5c9b618bd31756f1a9cbde2cfb83b

    • SHA512

      f822532e90006b0e69305a93e01512185a1a367ebb734e8b8c443efb716abe1d4460f246b70b32e7e18c8fc6aa7db85ec039d59773305e8061375b0634351ff5

    • SSDEEP

      49152:IBJPbv4/KHiciethGCUA1TJeUCMkiOT3eY1CKzuJtGvAAzT:yNbv4/BUVb5JLChiAu1evAoT

    Score
    10/10
    dcratdiscoveryexecutioninfostealerpersistencerat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      Nursultan Alpha/workspace/nur.exe

    • Size

      78KB

    • MD5

      1ac8c816761e434a1f2f57fd6b1ff2ce

    • SHA1

      ea93e41e41697445fb0e9d87e22c39f92574a256

    • SHA256

      a3ad9f1252629d998935892cbf29d6678f5bf12244cc1687d7bbde4bb6f9855d

    • SHA512

      08008e9b57b3e0bff46b82098bbb85bfe78ecf9b0d0062956b31724e29376910d5ead41179864975ab233998c8cf9c6402f21bbd0928496bf1c3270ee99d7a8c

    • SSDEEP

      1536:gBMjqMnGJcI9Nkl92+TJ34TO6X+bEwZfvG/Ke6VJXRQmLOVrCgVxcpum:g+qMEZPo4TO6X+bEnCFJXqcOVrCgun

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

xworm
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral28

dcratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral29

xwormexecutionpersistencerattrojan
Score
10/10

behavioral30

xwormexecutionpersistencerattrojan
Score
10/10