xworm

Sharing

Copy URL

Twitter E-mail

General

Target

MoonCrypter.rar
Size

1.3MB
Sample

250124-z9dt7ayrgs
MD5

ccc21f4e00162c96301c0901ade0ccc4
SHA1

fd88be0f52f8ec766327ce75fc55fb196e4557c6
SHA256

57583fbcfce7c62cfc880b35bc19d2bcb3d34e14423ab725674f9f1eefcbd038
SHA512

bb40c47e1d25be445249a50e92f208187da14fdee9a64424db3a6bb5c1992d48da5d55141585bf6cb26ef88a293657d3bc9616000c6ded6a7145d0f87dd36051
SSDEEP

24576:8++stGfbozsU+ZB++stGfbozsUYJUYndkIkDf7KaoY8QY8EFhe89:IstGMzv+Z/stGMzvriaoXeEL5

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

193.123.88.61:4444

Mutex

1cAjmT6r87cbZXRe

Attributes

Install_directory
%AppData%
install_file
host.exe

aes.plain

Targets

- Target
  
  MoonCrypter.rar
- Size
  
  1.3MB
- MD5
  
  ccc21f4e00162c96301c0901ade0ccc4
- SHA1
  
  fd88be0f52f8ec766327ce75fc55fb196e4557c6
- SHA256
  
  57583fbcfce7c62cfc880b35bc19d2bcb3d34e14423ab725674f9f1eefcbd038
- SHA512
  
  bb40c47e1d25be445249a50e92f208187da14fdee9a64424db3a6bb5c1992d48da5d55141585bf6cb26ef88a293657d3bc9616000c6ded6a7145d0f87dd36051
- SSDEEP
  
  24576:8++stGfbozsU+ZB++stGfbozsUYJUYndkIkDf7KaoY8QY8EFhe89:IstGMzv+Z/stGMzvriaoXeEL5
Score

10^/10

xworm discovery execution persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1
- Target
  
  MoonCrypter/Jint/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral2
- Target
  
  MoonCrypter/Jint/LICENCE.dat
- Size
  
  73KB
- MD5
  
  5ac57bee6febd79c760a08a6f4fbda37
- SHA1
  
  fc9646f500d3d197932a890544081dfa05c00214
- SHA256
  
  59a2f1e7e29689f58536f505b5479cbbef9d3e8e0a7ebfaa41dfb434f4667dea
- SHA512
  
  9b424abc0b94598c7b35ba6398a0b4a21c6b4a32de31bab43af259af3cbdb407592d0eaff25c29d6a3def645e7e455b50375eb7ab3161bb64ea8ae5d9b48d65a
- SSDEEP
  
  1536:rpD4FJMBNpOXCZTat+LAU3BbMrAy4LYI5zzrSaD45P:r2FWPOS0M8YP1LYli4F
Score

1^/10
behavioral3
- Target
  
  MoonCrypter/Jint/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral4
- Target
  
  MoonCrypter/Jint/comctl32.dll
- Size
  
  657KB
- MD5
  
  384d0d60981557b675e0ea94ece3ab26
- SHA1
  
  2ebabc7a4a3f36041d92cf91b72957e77fe1c190
- SHA256
  
  153dc459a73e102f60e62162f21b40f2cf666a9039b69d84df3cffb1eeedef66
- SHA512
  
  71f676c5d06d00d9ca24de52387fdc4791d7ff54f6da64f97381a34759883eaa59b6c6f76afdbd8c571723328b8bc4b9e15568b53f0f258a704cceba9f5630e3
- SSDEEP
  
  12288:1+eBYBiTZjaXU8iXmXQ4rETlrCY8QTBGsQi50NpchRW7wZ4fwID:1+eMXXlyuQ4rEZR8WBii50b3w8
Score

1^/10
behavioral5
- Target
  
  MoonCrypter/Jint/mce.exe
- Size
  
  253KB
- MD5
  
  0ec3da715b4dd0c38c00d5102dbcc6c6
- SHA1
  
  8f94bdd39e48e894d01cc418059288ab0b9fd7ce
- SHA256
  
  cd24da6a58712ffa1c42790226d2dbcbd4a223e14d001c97e4031170d3ef6a99
- SHA512
  
  a3b9aff7c374accb0d079104bbf73889c8b0c9c14cbabbf97265048c944efb89cc5b9340fab8e80607e8863d32cec6908d01d079414c4bc69a09301485464232
- SSDEEP
  
  3072:/kTP5ZkDO0Yb95ks/sptHfLOcHiCeiRHfdhTW4ks/sptHfLO:YRZkoQBtDDQBtD
Score

1^/10
behavioral6
- Target
  
  MoonCrypter/MoonCrypter.exe
- Size
  
  268KB
- MD5
  
  b32cf72bcf05b3df1967624c18792bfc
- SHA1
  
  da6bb03499739c473d34cf65bba5a68c3248ba1a
- SHA256
  
  2b2e23b302667a243ddf8250f5c654ffc7033f7000375df534348aff2f18871d
- SHA512
  
  1772753364652881db88595a4bc9e0e96a3cded522723c21a287c8675286c89e8790286334b177ab96403a1d63bd483c20ec3ed69631f1dc590e0c36b96eb54f
- SSDEEP
  
  3072:nsMbkPKSqyLcThkq0zl0rUS3g8NUYLpGfR/cM4kKKL9000XrcND2kbQExBQK:JbKqcg0zSrUwgLup2R/UgwP
Score

10^/10

xworm discovery execution persistence rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral7
- Target
  
  MoonCrypter/comctl32.dll
- Size
  
  657KB
- MD5
  
  384d0d60981557b675e0ea94ece3ab26
- SHA1
  
  2ebabc7a4a3f36041d92cf91b72957e77fe1c190
- SHA256
  
  153dc459a73e102f60e62162f21b40f2cf666a9039b69d84df3cffb1eeedef66
- SHA512
  
  71f676c5d06d00d9ca24de52387fdc4791d7ff54f6da64f97381a34759883eaa59b6c6f76afdbd8c571723328b8bc4b9e15568b53f0f258a704cceba9f5630e3
- SSDEEP
  
  12288:1+eBYBiTZjaXU8iXmXQ4rETlrCY8QTBGsQi50NpchRW7wZ4fwID:1+eMXXlyuQ4rEZR8WBii50b3w8
Score

1^/10
behavioral8
- Target
  
  MoonCrypter/fixer.exe
- Size
  
  191KB
- MD5
  
  24bd0c210794c566995f58dd1ea5d542
- SHA1
  
  890f5936f00948e77d766b8e200d6a9a210b1032
- SHA256
  
  d60d3dfdc76f15f7891d8f437b07a20567f4face48ae22e4b816b2bd44f6a5ba
- SHA512
  
  978338f90d3ce30b64d1f745a1ba477b42285f0e3a5409d3537a174f7211751e8edb4c056226f4af27c44ad8cbc6e9c95289efabd1540f7b31605b91df952d65
- SSDEEP
  
  3072:q4l2jUYLpGfR/cM4kKKL9000XrcND2kbQExBQ6:q62oup2R/UgwP
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Adds Run key to start application

Contains code to disable Windows Defender

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9