Overview

overview

10

Static

static

10

NeverLoseF...nt.exe

windows10-ltsc 2021-x64

10

NeverLoseF...db.exe

windows10-ltsc 2021-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NeverLoseClient.zip

  • Size

    3.6MB

  • Sample

    250121-jnshfstmhw

  • MD5

    37219fbedef9c0a1d56912d7dcef84a7

  • SHA1

    2280f28178322e4e1ddf0a104fa236756e60ea31

  • SHA256

    aa51f5e413b771a6ccc4dc9665571b6264133852df96ded99ba66ba2cc56ed6f

  • SHA512

    f757d65cc98cdabd84fdcc5d3d803fed9cf0b48c1b27905c25063d1aecf03b0940610650415fc1807da6b8a22d927023cb165b1feab3dcd73ad177b15a39b7a1

  • SSDEEP

    98304:v6PMt4eAwP3dcGLyKGYUZMr+lV6aMCUO1E2djrhk/ZNlE:v6BeAsdlc/qW7tUO+2Zrhk/Z8

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

plus-improve.gl.at.ply.gg:2705

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    сmd.exe

Targets

    • Target

      NeverLoseFree/NeverLoseClient.exe

    • Size

      75KB

    • MD5

      2b6ab43097c6f9a9d88d605c64a61dad

    • SHA1

      c00d66146e866da5cf69dcec581dfbe7950cf03b

    • SHA256

      2b967724ad4a8f55df852be7250b7f7eaf2c0e628cb1c1d3abd18adebf19e8e6

    • SHA512

      b9c3792ad6d3404a1905bd2290a20848a6cb88843343e3bc6e0c85cd31b2e239c70c522ada3f38dc5e8954622dc8fa3773c8307ce192a6e0897368be14121b06

    • SSDEEP

      1536:efAAfzPaDUUIU2QFgFrvwbIzDXuZQZG1O6kL8iVXOZ9r4S1:oAGzyDUO2trIbIQQZOEROZ9r11

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

    • Target

      NeverLoseFree/bin/adb.exe

    • Size

      5.6MB

    • MD5

      f1f479bba21298e758fc22d8d98f8e48

    • SHA1

      2f7ef0bf7a9ca33da621ba29794ae9c8c95c0bca

    • SHA256

      705ddc21f33ac52105d1b075b019962ad0e44fb3d560bde69ce8cb3a36bca183

    • SHA512

      3b491cd07e1e05e14fcec13956e8c023a4f2bbcb9459f3965868a00e33bc4d7e258ac645da9f1b5ca6f9d9a757b879d696ab95800a03240b37aa42265d4e914f

    • SSDEEP

      49152:p1bbBWmqcEr5DV0uLC5sakvVgieBn5BzPZjdZYvM+ojzJLF+vW6Daa55pXxNh9Vm:hgV5mkvt6NzZYU+iWz5iXGTailRRQd

    Score
    3/10
    discovery
    behavioral2

MITRE ATT&CK Enterprise v15

Tasks