Overview

overview

10

Static

static

10

HunterX_V1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HunterX_V1 (infected).7z

  • Size

    72.7MB

  • Sample

    250102-gbnbvswlby

  • MD5

    b6b15ede92f4aadbe165ac6299963b00

  • SHA1

    8fbb74c642056c48e51ca5dbd2289b4d7156cc01

  • SHA256

    ea4c4f02fe0ea732e56bd534b6191a3ada46aea23757f121b71d84dc65f642f3

  • SHA512

    dcd3a9c6a89238a5b04a49da532d027a2df00a1c38ee27581a017029d35808496ee0bd35a190f37057ccffd197829d67da591b96b94907393edd22ec8519090e

  • SSDEEP

    1572864:WoSxTYvOiAaKPLHvWxxiSXiXKdy66aq82bHCLJaZ9KbldT2o:IavOiSLHvWji3Kdv2bHRQ6o

Score
10/10
silverratxwormdiscoveryevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

SLL.casacam.net:4444

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    systempu.exe

Extracted

Family

silverrat

Version

1.0.0.0

C2

SLLSS.ooguy.com:3333

Mutex

x_ipNAVkdRSH

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    V0RMbU1BWVNGTlNTblZNcktSdUdKTHpXZ3Bja3NS

  • reconnect_delay

    4

  • server_signature

    cSQzQCf6F3J2JnTb2AFrxUoisQLtzNsGfQR1v9wj/4egVuzVarIJVO3pBEpByK/WkcB9UkO4ZvYd3AuTtCiqGYb6Wy1+2wBsOooyk+RH5byjQGQLuQ9aw6yqxln+3wfIQGnTyhkzHu1w07eeR8TKBzCoAa9K3cc1VI10qK61f/G6xZlz13UqN6rtyu6CHWw9sXvCWPquz9z6WuvfDT6unjI4zRyby9f8drQvK3qdGRBIYabFMx3RbuQ0kYteHvrYlkixtUbIlwB97UR4yKx6XCyFZ5btaxpbVkiWZnAXjS7qoj4or2sI0ce7x6838qXZuXWmm5zqqbaa0zIKsVuG9t0RhPiBDx6xpMoY+S9Rp4MCHOrid8UVpc5qpdb1FsvRdDyRyXjtBlfWnYnsZuDMt/xNVLwnfEH7IeZRhAPsfQbhpH97UBuI4yRW0z1Ywg3heZugeJ8i3tJwAQ71CzVTbNWNEHSedLN6h7BKSVbcXAI/WQQHr3aTOOlDzCyjRHpdBMQOzBiuUsK/BqLJ+z+7MBuZoYFM5HVAZxMYiATEzqgdfhvKkQr+9ojhm1bGlBYfLkS33cvkkgRlgCkHHfGsJp65WU60csYXje+MBT/iJPHFf2e1I5sL9xI9RxY9dFzWOD+eYg2osuGm+fal3DU/3m3zbms+LKQVXHszsELNKl0=

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Targets

    • Target

      HunterX_V1.exe

    • Size

      73.2MB

    • MD5

      a518a13a9dfb2f4e4ad1c696e41b3866

    • SHA1

      b784968ffafc8ee846291991cb895e79b6ba5a49

    • SHA256

      0bb63ed88d325403bca8efd0b2890887ed1f1619bd5c5ee1092a2182b4106b2d

    • SHA512

      4600d9004e38a57ad0b2ade6b2bc19ba6338a69689355cc2ffd427a13d9cb8387169d73dd38595115e935e32cf76b4b574bf6a009661bddbc20af1c675a7ffd0

    • SSDEEP

      1572864:syYytvKL3qcxnuAOqzpgMjjWpXijl7UVb3BOpiy1Cfe8sEF8mye9gu:C4KmcxucyXw7sOc26e8sy8Xer

    Score
    10/10
    silverratxwormdiscoveryevasionexecutionpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • SilverRat

      SilverRat is trojan written in C#.

      trojansilverrat

    • Silverrat family

      silverrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks