Overview

overview

10

Static

static

5

temp/temp/...er.bat

windows7-x64

1

temp/temp/...er.bat

windows10-2004-x64

1

temp/temp/...er.bat

windows7-x64

1

temp/temp/...er.bat

windows10-2004-x64

1

temp/temp/...ht.bat

windows7-x64

8

temp/temp/...ht.bat

windows10-2004-x64

8

temp/temp/...er.exe

windows7-x64

1

temp/temp/...er.exe

windows10-2004-x64

1

temp/temp/...er.exe

windows7-x64

1

temp/temp/...er.exe

windows10-2004-x64

1

temp/temp/...gs.vbs

windows7-x64

1

temp/temp/...gs.vbs

windows10-2004-x64

1

temp/temp/...ol.exe

windows7-x64

10

temp/temp/...ol.exe

windows10-2004-x64

5

temp/temp/...64.dll

windows7-x64

1

temp/temp/...64.dll

windows10-2004-x64

1

temp/temp/...64.dll

windows7-x64

1

temp/temp/...64.dll

windows10-2004-x64

1

temp/temp/...mp.exe

windows7-x64

10

temp/temp/...mp.exe

windows10-2004-x64

10

Resubmissions

20-01-2025 15:14

250120-smhfjavqhx 10

20-01-2025 15:13

250120-sl6rqsvqgs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vson I Temp.rar

  • Size

    16.8MB

  • Sample

    250120-sl6rqsvqgs

  • MD5

    b97fc35921f8b2f60e4ebda757a161fa

  • SHA1

    41825285f8b8dcf3dab275a8427037d62860ac39

  • SHA256

    bde9aa21edb27047da788869a13e5f81f6fc8beca594f07fb70236dca1a1f139

  • SHA512

    e3393d73672943223583cf00ce837cf785ded421cce4243a757ddb3724487b96d9b4a0294c47a47210826087187974b62824a4269bd2a0e10470f2f755210a4e

  • SSDEEP

    393216:2PEV8LR5nWvyP/QpfAnFKdEfqdnx16XBap4NT8ibU2larSFFTff:aIa5WUopecdnABai8mUu6Sbf

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

45.88.91.79:1111

Attributes
  • Install_directory

    %AppData%

  • install_file

    Update.exe

Targets

    • Target

      temp/temp/temp/temp/Serial Checker.bat

    • Size

      831B

    • MD5

      119a816fb17e3c634deda5fa650bbb50

    • SHA1

      ee6fbcfe647a2b943e991797b08e10e2dd9eef5f

    • SHA256

      8e04607e18f90a99e360f4bffe37102b20006143859c87ae845694512b41094f

    • SHA512

      78d69503835da46a427afb50fd3dcb7d0dc246b89751d42533afb8bf8a0a0e5f78f78d350507460b5b421af0ae4b822ee2a435ab1962bf411fa5d94a663d6e2d

    Score
    1/10
    behavioral1behavioral2

    • Target

      temp/temp/temp/temp/cleaners/FortniteCleaner.bat

    • Size

      1.5MB

    • MD5

      2429db21a224c48fa6b17e55a6762328

    • SHA1

      f86eb0c2de25e8970add83b66253d3f18b0994e1

    • SHA256

      365685c1e71944bc955c6be46cc33a44099bcb0f8c625228e89445f18866b778

    • SHA512

      0487e79a9b2b427f8c0e5bb860e78039bcf29626bd58ad8190df858fcfa130d15add3fcd350cdadaccbc1d2e13f822dab76e418029d692d2ccd972594b4c0e23

    • SSDEEP

      49152:9TOB4ynYygOvXsMruROZyUpWvWOLZkORn:b

    Score
    1/10
    behavioral3behavioral4

    • Target

      temp/temp/temp/temp/cleaners/Midnight.bat

    • Size

      104KB

    • MD5

      98c35392bddb76264b1004a0dbf67236

    • SHA1

      2a32cd70da5f7a7fd43952d066f705538e980191

    • SHA256

      5a21145b429b84651b8b30506382c7643e631bc917de152d70cf6aa8fdfb15b8

    • SHA512

      532b6a175755d340f8f5424dadbbd1ee0dac1680979e2365000024a63d226869c12384600597276217b73be7664fe6735da96fd6fb9dc1bd8fa6a5208c219202

    • SSDEEP

      768:l/KZzmezl/svUsfg8gVhCBL1oPY8xC01n5xpoL8oPlRPOpL5LvLpLjLgzJu/:Fg8gU61nvplxL5LvLpLjLw6

    Score
    8/10
    defense_evasionexecution
    behavioral5behavioral6

    • Target

      temp/temp/temp/temp/cleaners/Toruney_Cleaner.exe

    • Size

      135KB

    • MD5

      03c9069653a814dd3a0d69d1431145eb

    • SHA1

      d57ca643bfb63dc9df696054ff12770132a81038

    • SHA256

      d5b857f4972fea91c9d476905d4fb6f80de89df311da0dce83adfbef4d32d1b3

    • SHA512

      b7958fa0c0d2953ed4062f2e241f982377b4b0f990a179da9bf328a39e0a00b79ee76a537cd42482d2d782e33e36f390c85585d88fe16b882e67c4c9edd366cf

    • SSDEEP

      768:EcLW2SN3ItwfkDG7FIMXVGBzn5v1QLKeJunPxrU+lP/X3Zwkin9Sbh9Sb:LLWDN4qfkDo8z5tMGP9U+BBBuC

    Score
    1/10
    behavioral7behavioral8

    • Target

      temp/temp/temp/temp/cleaners/cleaner.exe

    • Size

      63KB

    • MD5

      ce27988cc633ed4e1ea1ed4bfd94e6af

    • SHA1

      ea627f85d7b710266d6eaf4c741fbce49d329c94

    • SHA256

      ce283342401e7fe747fe0ba57befb47465bdfe0f96ddfbeb869496684d6dc967

    • SHA512

      6204358139fc5bf8b8b12f8fdcfb5c3f615ce20e651fcb60042376b9d1cf5e5e02ec886a20bdb71ff94ccab16c5881da508431c288e31c9c134dfa10c79e48e3

    • SSDEEP

      384:y943jeTsybDGc9VIJ9KWSCGEcTvMtpAqFAgZl3QfBX8d7ptPQ9Z7L:vyPLoMMnAGZlGB6PQ9

    Score
    1/10
    behavioral10behavioral9

    • Target

      temp/temp/temp/temp/d control need/Defender_Settings.vbs

    • Size

      313B

    • MD5

      b0bf0a477bcca312021177572311e666

    • SHA1

      ea77332d7779938ae8e92ad35d6dea4f4be37a92

    • SHA256

      af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9

    • SHA512

      09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

    Score
    1/10
    behavioral11behavioral12

    • Target

      temp/temp/temp/temp/d control need/dControl.exe

    • Size

      447KB

    • MD5

      58008524a6473bdf86c1040a9a9e39c3

    • SHA1

      cb704d2e8df80fd3500a5b817966dc262d80ddb8

    • SHA256

      1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

    • SHA512

      8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

    • SSDEEP

      6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

    Score
    10/10
    defense_evasiondiscoverytrojanupx

    • Modifies security service

      defense_evasion

    • Windows security modification

      defense_evasiontrojan

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral13behavioral14

    • Target

      temp/temp/temp/temp/libcrypto-3-x64.dll

    • Size

      6.1MB

    • MD5

      e7463d58d7aff43c7d71a3847ba8201e

    • SHA1

      1a030443545820af4edea017c64da1233a6177a8

    • SHA256

      2249476a14dea73ae271d661483bdc6c15e45b931f8dbfd0bd1b84193cf420ea

    • SHA512

      2155a8fda32b9cb0f9029ce9fd6b418322b392523bf641b67eb885afc219a9b4942bc37292f32d190f128864b3f5830a8eee44dfc29623689bf0d5b259d0859a

    • SSDEEP

      98304:dP+C5HnwdCqOB1rpZtC78tPq1CPwDvt3uFGCCN:x1HnwNOLpZtC78tC1CPwDvt3uFGCC

    Score
    1/10
    behavioral15behavioral16

    • Target

      temp/temp/temp/temp/libssl-3-x64.dll

    • Size

      1.2MB

    • MD5

      10cbd37c4df0aeff2346ba2c2038b420

    • SHA1

      499495a812dcc64ae01f75522eb8ed57699ee090

    • SHA256

      18babfe5f3de3d0ceaa4bd671d7d3c808c8f788ca9782117b74d5b4900a2d250

    • SHA512

      f859a516c4a5c73b68c9051bd28392aa4617b1f9ca45879257c8e43321ff0cf35b71f176f267184ac892be8b1c87e816aa78fcc1ac77fad2bd932ec7300c564a

    • SSDEEP

      12288:o3IaOMsTeC9cz8D7qs4SjIgtBwfcVXPz6dVr5yQH+BrMnfdEVB3:o3IX99c43D4S5kcVuTQQHmqdEVB3

    Score
    1/10
    behavioral17behavioral18

    • Target

      temp/temp/temp/temp/vson I temp.exe

    • Size

      15.6MB

    • MD5

      328e91dbd965eb1f0902080bc81df413

    • SHA1

      7a049c89f8fd79f0b91e12bdff17affd2066e403

    • SHA256

      11ea437ffb781fc9b93a6dfda275736ee591c14dfb860aa165a357974e90a352

    • SHA512

      1e7e40e54db78ac7d78eccf98d6c34a6f70c29639c010c8512ffa56f06755bc445c161d990913ca2299ae3602f474b4aa0b34fd5fd728f9a473745aeacb4ce3e

    • SSDEEP

      393216:nTvw6H8s1QzwNUJVtoMATyVchl49o1SrBqqxSlUa+PMsw6E3sSwr0DN:nJcJwCJEM7Vcf49LwUa+PDEsP0N

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks