General

  • Target

    dick.exe

  • Size

    38KB

  • Sample

    241227-s4cllswqdw

  • MD5

    ce2283cbadee69f3121bf2edf38d6d80

  • SHA1

    a32a7bdf7efe4974ea7102de4a23ef14fa08d21a

  • SHA256

    af9a1baabfe853c60867995982763b19a5cb53524930fe4e3e149349c51bcddc

  • SHA512

    79ad56ebb57f86f04133d7b9786cfe93aeba422cde054795e3bdd4944d2c68f6333d83249faedb7ec4793c81eca3f2a636e9d477823c6c8be4856352786c7479

  • SSDEEP

    768:W7fuHRm9lgWRWkbfcZQpEkU9OfzhBHNZHVb:qKRm0WfbfcOuHOfzf5

Malware Config

Extracted

Family

xworm

C2

review-monroe.gl.at.ply.gg:46169

Mutex

lWfA9hbGdE2IDzRq

Attributes
  • Install_directory

    %AppData%

  • install_file

    Mason.exe

aes.plain

Extracted

Family

njrat

Version

QUJPTEhC

Botnet

ByABOLHB

C2

abolhb.com:505

Mutex

66f73d9b4e94d115b763eaa1ada7d1f1

Attributes
  • reg_key

    66f73d9b4e94d115b763eaa1ada7d1f1

  • splitter

    |'|'|

Targets

    • Target

      dick.exe

    • Size

      38KB

    • MD5

      ce2283cbadee69f3121bf2edf38d6d80

    • SHA1

      a32a7bdf7efe4974ea7102de4a23ef14fa08d21a

    • SHA256

      af9a1baabfe853c60867995982763b19a5cb53524930fe4e3e149349c51bcddc

    • SHA512

      79ad56ebb57f86f04133d7b9786cfe93aeba422cde054795e3bdd4944d2c68f6333d83249faedb7ec4793c81eca3f2a636e9d477823c6c8be4856352786c7479

    • SSDEEP

      768:W7fuHRm9lgWRWkbfcZQpEkU9OfzhBHNZHVb:qKRm0WfbfcOuHOfzf5

    • Detect Xworm Payload

    • Njrat family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks