Overview

overview

10

Static

static

3

fatality_loader.rar

windows11-21h2-x64

Resubmissions

16-01-2025 20:24

250116-y67sesxmgw 10

16-01-2025 20:21

250116-y4yfzaxqhj 4

16-01-2025 20:03

250116-yss24sxlel 10

16-01-2025 19:53

250116-yl22fawma1 10

16-01-2025 19:45

250116-ygh3rswkdz 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fatality_loader.rar

  • Size

    956KB

  • Sample

    250116-yl22fawma1

  • MD5

    5c917c1945a53e6c6fd9e55c52a5071f

  • SHA1

    33829463306b1ea8d8997c136c7ad87467773cef

  • SHA256

    fda69ccb7e8acf085194e1359b1facf3b7c8f5b8eca43172a2a199d22aa675a9

  • SHA512

    69d4e041c83e2298c1c8f56a48dee9be249ae4ffbd84b75a94203015cfde21998b8f798798de55dd9ab1813550c2442d89a84e1586a65c8c96d8f64513353e43

  • SSDEEP

    24576:Rej8HegWnDJNfJJB8XWQ/zx7raihPUOOORYgZ:S8HfWDJNGXZ/Nra4rpOgZ

Score
10/10
xwormbootkitdiscoveryevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

star-telecharger.gl.at.ply.gg:27119

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      fatality_loader.rar

    • Size

      956KB

    • MD5

      5c917c1945a53e6c6fd9e55c52a5071f

    • SHA1

      33829463306b1ea8d8997c136c7ad87467773cef

    • SHA256

      fda69ccb7e8acf085194e1359b1facf3b7c8f5b8eca43172a2a199d22aa675a9

    • SHA512

      69d4e041c83e2298c1c8f56a48dee9be249ae4ffbd84b75a94203015cfde21998b8f798798de55dd9ab1813550c2442d89a84e1586a65c8c96d8f64513353e43

    • SSDEEP

      24576:Rej8HegWnDJNfJJB8XWQ/zx7raihPUOOORYgZ:S8HfWDJNGXZ/Nra4rpOgZ

    Score
    10/10
    xwormbootkitdiscoveryevasionexecutionpersistencerattrojanupx

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks