xworm

General

Target

PhantomCrypter.rar
Size

4.4MB
Sample

250120-sffncsvpcr
MD5

cadc20fe62156ed14596f58359c11161
SHA1

709e94b32d14ef436f20f31090500c1ae3c8fc3a
SHA256

85df9fc4b8d48b029a6d135a743092a2421bef43785390a6a847eadd42da2047
SHA512

b2ad7a9a365cb6c7c793d05e8f78c3b154577d6c90f99d5c59f1bf77f2d34e640120e4f7efb2772a427b8382f6433dd9fbe0fd2cfed95604e96a667545d1f9c7
SSDEEP

98304:6RXA/JzyT9UJks+11lYCJTlxs0j1SHjEAGQLSBGRl3hx94iinoK3R:IXA/JzyBUJ8y3YQQAGQmMOTb

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes

Install_directory
%AppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/eZa6J63T

aes.plain

Targets

- Target
  
  PhantomCrypter/PhantomCrypter.exe
- Size
  
  5.2MB
- MD5
  
  e877adfe74b6bd2ad9b9f5c73f839152
- SHA1
  
  ff73461cd1fc5d9755d8dfa135ed3f6401989d00
- SHA256
  
  71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96
- SHA512
  
  7c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1
- SSDEEP
  
  98304:KUJgH4K+NsPeD9k/OYU2HkSBEIHFP2gH4KdBwgH/fkEihw:KUcT+NsPOkeLAVFXTdBwgH/Mr
Score

10^/10

xworm discovery dropper execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Download via BitsAdmin
  dropper
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  PhantomCrypter/System.Web.Extension.dll
- Size
  
  685KB
- MD5
  
  1b8bffeb6242422d2b4112f161a434fd
- SHA1
  
  d8de9c4eabd345264aa75f2442c39cce9f3fec06
- SHA256
  
  f6118ec980c5f9f98b1ed002c6f2ca0ba11bd455d38aa08466c11e3d0eda4814
- SHA512
  
  df1f5129f788c9e54cdf86c5d5945614915936b0edb43b101474c58a54b742224f2b5b3128c80485e1ffef1705858f8d2a32a529649d290cc544d4f08460ff0b
- SSDEEP
  
  12288:iNdolbMYpjTlmCOuvTaQ4mt9oLIESAxkAWuncJaha/TIO75+sfMRe:MUpjTlmCOuvTaQ4mt9oLIESAxkAWuncr
Score

1^/10
behavioral2
- Target
  
  PhantomCrypter/System.Web.Extensions.dll
- Size
  
  685KB
- MD5
  
  1b8bffeb6242422d2b4112f161a434fd
- SHA1
  
  d8de9c4eabd345264aa75f2442c39cce9f3fec06
- SHA256
  
  f6118ec980c5f9f98b1ed002c6f2ca0ba11bd455d38aa08466c11e3d0eda4814
- SHA512
  
  df1f5129f788c9e54cdf86c5d5945614915936b0edb43b101474c58a54b742224f2b5b3128c80485e1ffef1705858f8d2a32a529649d290cc544d4f08460ff0b
- SSDEEP
  
  12288:iNdolbMYpjTlmCOuvTaQ4mt9oLIESAxkAWuncJaha/TIO75+sfMRe:MUpjTlmCOuvTaQ4mt9oLIESAxkAWuncr
Score

1^/10
behavioral3
- Target
  
  PhantomCrypter/dnlib.dll
- Size
  
  929KB
- MD5
  
  d566533b5ce53b6bc69a00992be8acd3
- SHA1
  
  c49a16a234179bc0b3ac695a058240965cd9e93c
- SHA256
  
  21f2ffe5913733113bdad41c0698298ea8c15e6f6292454da05bffc44038c9ec
- SHA512
  
  10cd6e3de7ec94cb813a48698d6dea4e09230c93262e13b49dad23927e3241efa8d01c74b8a03031cb6e6bc928fbc0165e174b5cb92d928fefd4205bd09de94a
- SSDEEP
  
  12288:ZBZndQL5VHvzQXlNR2jGxXAvFWfOaJRlIIMaOLVNCxqo73A9aZ:RcvzQEGCyFliamC0o73ia
Score

1^/10
behavioral4