General
-
Target
lemon.mp4-1.mov
-
Size
103KB
-
Sample
250126-t531mawrav
-
MD5
de829ff9a0f5c07ec7e1a90de40da438
-
SHA1
c4b44374251296ff97c678afbbeb2009f7df6609
-
SHA256
ea1d7a3a7ccaa19e036f9ce1f7861b0d32860e4ca23201cf5904e67863cb87c3
-
SHA512
353bef6848b8a1cdee3bb677b4cacaa99b9139c14c5d86e3e89533fac80151165c5f2435eb87722207dff39769cf27fa11a7b434aabebd43d7762d06b8024ae6
-
SSDEEP
1536:OPJAF0bFCyP/Lq9htw7mrDGNowqLShO9E5CJljbPjyP51GIbIJexGmPTfA:yAF6f/Lq9htw7DN4SQ9EATryPfTXk
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
RUss9jpgCGjKXozU
-
Install_directory
%LocalAppData%
-
install_file
XClient.exe
Extracted
xworm
127.0.0.1:7000
-
Install_directory
%LocalAppData%
-
install_file
XClient.exe
Extracted
quasar
1.4.1
hawk tuah spit on that thang
127.0.0.1:4782
7fce0ae0-8078-4987-8717-6b158b43106e
-
encryption_key
F12EAD15347FEFEAE51235126500C230593C9A9E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
lemon.mp4-1.mov
-
Size
103KB
-
MD5
de829ff9a0f5c07ec7e1a90de40da438
-
SHA1
c4b44374251296ff97c678afbbeb2009f7df6609
-
SHA256
ea1d7a3a7ccaa19e036f9ce1f7861b0d32860e4ca23201cf5904e67863cb87c3
-
SHA512
353bef6848b8a1cdee3bb677b4cacaa99b9139c14c5d86e3e89533fac80151165c5f2435eb87722207dff39769cf27fa11a7b434aabebd43d7762d06b8024ae6
-
SSDEEP
1536:OPJAF0bFCyP/Lq9htw7mrDGNowqLShO9E5CJljbPjyP51GIbIJexGmPTfA:yAF6f/Lq9htw7DN4SQ9EATryPfTXk
Score10/10-
Detect Xworm Payload
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-