xworm

Sharing

Copy URL

Twitter E-mail

General

Target

MoonCrypter1.rar
Size

1.7MB
Sample

250124-24va4atkfv
MD5

760b8ccf814fde6524ceffc5f97421d8
SHA1

22d79221917fd211a42f923aa5a94ba72c749e75
SHA256

eda0f45bf7e42ea80b3140d490ffcdd773f35d48bcb4ee9babc76f67afd7b8f6
SHA512

41ddaee104d4bfad95686193564c4122dae026d5f3b86fb3fb536d09fc43301c306632bafb695c543b6cd3838bca080feecba23f75b46820e33e6df66724d3ea
SSDEEP

24576:sxO9XOv3bdt1fMY5LJgYOeD82y7UhPIsamtMQ1dVExVwYs5YDGrVEfHm16OUdo1U:IfbjEzezyC+srEzJJOEfg6OUPSR8T

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Targets

- Target
  
  MoonCrypter/Jint/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral1 behavioral2
- Target
  
  MoonCrypter/Jint/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  MoonCrypter/Jint/comctl32.dll
- Size
  
  657KB
- MD5
  
  384d0d60981557b675e0ea94ece3ab26
- SHA1
  
  2ebabc7a4a3f36041d92cf91b72957e77fe1c190
- SHA256
  
  153dc459a73e102f60e62162f21b40f2cf666a9039b69d84df3cffb1eeedef66
- SHA512
  
  71f676c5d06d00d9ca24de52387fdc4791d7ff54f6da64f97381a34759883eaa59b6c6f76afdbd8c571723328b8bc4b9e15568b53f0f258a704cceba9f5630e3
- SSDEEP
  
  12288:1+eBYBiTZjaXU8iXmXQ4rETlrCY8QTBGsQi50NpchRW7wZ4fwID:1+eMXXlyuQ4rEZR8WBii50b3w8
Score

1^/10
behavioral5
- Target
  
  MoonCrypter/Jint/mce.exe
- Size
  
  253KB
- MD5
  
  0ec3da715b4dd0c38c00d5102dbcc6c6
- SHA1
  
  8f94bdd39e48e894d01cc418059288ab0b9fd7ce
- SHA256
  
  cd24da6a58712ffa1c42790226d2dbcbd4a223e14d001c97e4031170d3ef6a99
- SHA512
  
  a3b9aff7c374accb0d079104bbf73889c8b0c9c14cbabbf97265048c944efb89cc5b9340fab8e80607e8863d32cec6908d01d079414c4bc69a09301485464232
- SSDEEP
  
  3072:/kTP5ZkDO0Yb95ks/sptHfLOcHiCeiRHfdhTW4ks/sptHfLO:YRZkoQBtDDQBtD
Score

3^/10

discovery
behavioral6 behavioral7
- Target
  
  MoonCrypter/MoonCrypter1.exe
- Size
  
  582KB
- MD5
  
  fe33fb1a059475fe19f07437098c391c
- SHA1
  
  bf4a0cc782156a44a27c7e9ea1e4297be926a597
- SHA256
  
  fc70565765ef8ca0f63b63aab261ebff53d1f110bd8da460720099b779832283
- SHA512
  
  c8117a6cd0e956d2ff82143621a320ebf7ff38f67a4cb64f9e294c341806757a4a0549e869c16d90c0d48ebd6262befd62411af9cacc19121b25ee5532e6d079
- SSDEEP
  
  12288:2zvRCmaURtTLYscOOn37xZOSKrUwgQbBcg0Mp2egI:E0UtnYb3T5ONgwcg06DgI
Score

10^/10

xworm discovery execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral8 behavioral9
- Target
  
  MoonCrypter/comctl32.dll
- Size
  
  657KB
- MD5
  
  384d0d60981557b675e0ea94ece3ab26
- SHA1
  
  2ebabc7a4a3f36041d92cf91b72957e77fe1c190
- SHA256
  
  153dc459a73e102f60e62162f21b40f2cf666a9039b69d84df3cffb1eeedef66
- SHA512
  
  71f676c5d06d00d9ca24de52387fdc4791d7ff54f6da64f97381a34759883eaa59b6c6f76afdbd8c571723328b8bc4b9e15568b53f0f258a704cceba9f5630e3
- SSDEEP
  
  12288:1+eBYBiTZjaXU8iXmXQ4rETlrCY8QTBGsQi50NpchRW7wZ4fwID:1+eMXXlyuQ4rEZR8WBii50b3w8
Score

1^/10
behavioral10
- Target
  
  MoonCrypter/fixer1.exe
- Size
  
  510KB
- MD5
  
  696be443d22e8435a3649313ce100c66
- SHA1
  
  3213e88a7accb1002f67770f3f972fb19f2da7de
- SHA256
  
  1f7561c08f10f443c953fe4292bbc3e69e739f9c61e426fba4c210de423f1ddb
- SHA512
  
  b15e57b35cd7ea49b288103a327cd7fce80494f05d048b9ae909647f5f4f3acbb4b25495e48375bf6f7191f39b7dd941a098a914d281687847996c37a288424d
- SSDEEP
  
  12288:jY5yIaKqe+ys/755QzLBH8oAfZsZpp2egI:wyIaKqzys/7kmoAfiHDgI
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12