Overview

overview

10

Static

static

10

Nerest soft.rar

windows10-ltsc 2021-x64

10

Nerest sof...ER.exe

windows10-ltsc 2021-x64

10

Nerest sof...ER.exe

windows10-ltsc 2021-x64

10

Nerest sof...pi.dll

windows10-ltsc 2021-x64

3

Nerest sof...pi.dll

windows10-ltsc 2021-x64

3

Nerest sof...db.dll

windows10-ltsc 2021-x64

1

Nerest sof...ft.dll

windows10-ltsc 2021-x64

1

Nerest sof...db.exe

windows10-ltsc 2021-x64

3

Resubmissions

19-01-2025 17:36

250119-v6zj9sykbs 10

19-01-2025 17:36

250119-v6jh2syngr 10

19-01-2025 16:37

250119-t5adbawrcp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nerest soft.rar

  • Size

    10.7MB

  • Sample

    250119-v6zj9sykbs

  • MD5

    36a311bd68a15d33cf34f2d5a379f575

  • SHA1

    436e425d3a8c52871da0bead8a0935a5c82bb160

  • SHA256

    995b076987f2c8c9217c04b52f4a618dd317d5d5415b3898ba107d12a8e9522d

  • SHA512

    e683aff0d6c77ba47de449f04062c41ad7e30b00768c6d8508f584ead812edd2d0ae4e9d938b8532898ff8f9902676b1163bd387546db6435fb5d19c072a0e08

  • SSDEEP

    196608:x8dOjq6AUN3CFaLgkag0igtXbShm+PH/b1D7Xo0YwYpfn+aA7aPUP/e428iXdC:WT1UN3FLth03Xuhm+PTVN1Yd+b7aPWsk

Score
10/10
xwormbootkitdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

back-spots.gl.at.ply.gg:21395

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Targets

    • Target

      Nerest soft.rar

    • Size

      10.7MB

    • MD5

      36a311bd68a15d33cf34f2d5a379f575

    • SHA1

      436e425d3a8c52871da0bead8a0935a5c82bb160

    • SHA256

      995b076987f2c8c9217c04b52f4a618dd317d5d5415b3898ba107d12a8e9522d

    • SHA512

      e683aff0d6c77ba47de449f04062c41ad7e30b00768c6d8508f584ead812edd2d0ae4e9d938b8532898ff8f9902676b1163bd387546db6435fb5d19c072a0e08

    • SSDEEP

      196608:x8dOjq6AUN3CFaLgkag0igtXbShm+PH/b1D7Xo0YwYpfn+aA7aPUP/e428iXdC:WT1UN3FLth03Xuhm+PTVN1Yd+b7aPWsk

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      Nerest sofr/!LOADER.exe

    • Size

      125KB

    • MD5

      0324d4d7ff2026809d8c3f4bd0f3573e

    • SHA1

      73f39a2778bbaa29246a75a7274b8bc7836bd329

    • SHA256

      e14dbac690979b4fa9b2fee4a8221bfdcb03500458d3f9c8912fa1e0e4674492

    • SHA512

      0209d6abb503a2698ee3bb8393da8b7622c3f6318f7aff8173a2406abc31d5d422002ab47113a85e2b7dc292d6735c23fd083aa1c1de4dd275a6e0f28e091f6b

    • SSDEEP

      3072:3uZ+4zKUSfFzqbaQgKA64kCOd4pUzaewwQU4OHRemSL:3gKJFzqb3A64kK+zBuU4OIm

    Score
    10/10
    xwormbootkitdiscoveryevasionexecutionpersistencerattrojan

    • Detect Xworm Payload

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral2

    • Target

      Nerest sofr/bin/!LOADER.exe

    • Size

      6.9MB

    • MD5

      de24df122fbc3293087f4939c6fb8b16

    • SHA1

      a061e90c61d9ca357d0f4592bd0768432338fa94

    • SHA256

      ccccf05053891883f6268a31390b3a731fa6b787b16e2c0dd429a31e5878acb0

    • SHA512

      ac27ee610c535d3f5eaf6c03ffc7dd59d30f96bb81e029258f507cffdb243db87533ca10b79846810e624223ac6cd5515c10832f1e907fd37edd4ef6365eb503

    • SSDEEP

      196608:GKah1rbvnKfTMLXla7cJz/FUtUK+hLFV/Ap:GKa7r+fTMLXla7cJTM7+h4p

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      Nerest sofr/bin/AdbWinApi.dll

    • Size

      105KB

    • MD5

      73030f38c867f5a7bd6ee331203f3d7a

    • SHA1

      3e71b43c9b25af29bb4b8f455c176c5e89404567

    • SHA256

      9ffacedc41b2752075571e1a474ff50c5dcbe1f64db56db24aaec78aea1126df

    • SHA512

      492988fc89ae61e3af4904c0f593fbc4703293a915901ff98824cdcc77a7ac695faee8e1da56c66e3e2591216234a609841fb2393ce1dd2aeb91014952c6a297

    • SSDEEP

      1536:2wqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCPP7r3PxUU:2wqD3L8Tezq0et+ui1y6vxr

    Score
    3/10
    discovery
    behavioral4

    • Target

      Nerest sofr/bin/AdbWinUsbApi.dll

    • Size

      71KB

    • MD5

      f67d9ec28d19316754d7ecb0e990197d

    • SHA1

      a82ba3ad1a0749dd91eaac34dced3622d10dba54

    • SHA256

      13918fdab0c3ac77d077453a6036247cfeca10910aec845f188c41148c630bb2

    • SHA512

      abd80e386ce282bbb4727c7bd795d7bb0046fecfe65b005c98609f18b341606166187e951a5beacb5112726eab28bf9b75b383cb55ca9d0303b286389fd25022

    • SSDEEP

      1536:q72doFmOiHizFbPlspcsbj5ZsP+YeTs1pH7tsPxHt:qSSfN9+YeTs1pHJcxN

    Score
    3/10
    discovery
    behavioral5

    • Target

      Nerest sofr/bin/HD-Adb.dll

    • Size

      312KB

    • MD5

      2cf358b3df9fc248f9726053785089e7

    • SHA1

      d4d71f77870f116a9b204ffedda541409f44476f

    • SHA256

      ad34e46a3cfc56ba3ec36ef9e30d6fb98935458f193da13d86d6310ba472bf29

    • SHA512

      133991239feb273cf69865e4c0c6533e09f057168fbf8fd9fb207ee91c0507971f0e024c56aa5fd71b4253adbb21ec0a231a00b71312e411b451ac3cd52ef897

    • SSDEEP

      6144:aKVFshAQihzsX7KKXvX3giEc3TrOmnwlDG:avgzSL/g0X7wlD

    Score
    1/10
    behavioral6

    • Target

      Nerest sofr/bin/Newtonsoft.dll

    • Size

      4.5MB

    • MD5

      21a3efa43d3e25885f5e6c53dacbb213

    • SHA1

      d0d3ad3a82b4cb7f5ddc3bbefe10e39c21a1e31d

    • SHA256

      48178d880dfbe65524431ac67b3415649aab3935f37a8bd82b6fa9c64226277c

    • SHA512

      8ffd19b8fec82431da20045733cb9160b09fcf1c0c2716ee0c356f2fb277a30a47bd0bcc9736ea09819112399913762625c8e9b74eefb53817d20054e99ff99d

    • SSDEEP

      49152:gAbFJoSDvzKfOlGGmTQTRDK4u4ppCrALIU6iN/kt2g1KriA8OjSTuRlmrszluyAx:gKJVWOAsTcwpCH+NctP0S+lpbMTp

    Score
    1/10
    behavioral7

    • Target

      Nerest sofr/bin/adb.exe

    • Size

      5.6MB

    • MD5

      f1f479bba21298e758fc22d8d98f8e48

    • SHA1

      2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca

    • SHA256

      705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183

    • SHA512

      3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f

    • SSDEEP

      49152:p1bbBWmqcEr5DV0uLC5sakvVgieBn5BzPZjdZYvM+ojzJLF+vW6Daa55pXxNh9Vm:hgV5mkvt6NzZYU+iWz5iXGTailRRQd

    Score
    3/10
    discovery
    behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks