Overview

overview

10

Static

static

10

MoonXCrypter.exe

windows7-x64

10

MoonXCrypter.exe

windows10-2004-x64

10

plugins/Cm...ss.dll

windows7-x64

1

plugins/Cm...ss.dll

windows10-2004-x64

1

plugins/Crypter.dll

windows7-x64

1

plugins/Crypter.dll

windows10-2004-x64

1

plugins/HRDP.dll

windows7-x64

1

plugins/HRDP.dll

windows10-2004-x64

1

plugins/Options.dll

windows7-x64

1

plugins/Options.dll

windows10-2004-x64

1

plugins/Pe...ce.dll

windows7-x64

1

plugins/Pe...ce.dll

windows10-2004-x64

1

plugins/Pr...er.dll

windows7-x64

1

plugins/Pr...er.dll

windows10-2004-x64

1

plugins/Programs.dll

windows7-x64

1

plugins/Programs.dll

windows10-2004-x64

1

plugins/Ra...re.dll

windows7-x64

1

plugins/Ra...re.dll

windows10-2004-x64

1

plugins/Recovery.dll

windows7-x64

1

plugins/Recovery.dll

windows10-2004-x64

1

plugins/RunPE.dll

windows7-x64

1

plugins/RunPE.dll

windows10-2004-x64

1

plugins/Se...er.dll

windows7-x64

1

plugins/Se...er.dll

windows10-2004-x64

1

plugins/St...er.dll

windows7-x64

1

plugins/St...er.dll

windows10-2004-x64

1

plugins/TC...ns.dll

windows7-x64

1

plugins/TC...ns.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MoonXCrypter.zip

  • Size

    7.3MB

  • Sample

    250128-p3b2xayphx

  • MD5

    e48986430f57e62986375b7ea32dd177

  • SHA1

    d6f0e4220c30eee8c0e1ce7634d7e11f39996f6d

  • SHA256

    cdc90f38b71f0b982d87b2a911f2c1a2ca9939ec880ecfce7f5e6101669e483f

  • SHA512

    f0e40b630ad5b57af27f0e6ad6f67c476ae0101b9b29403f230b03d19c1fa1bbca226cf01c192875696a399b4c4a329de10f19458f2be80027f4217da614fdc4

  • SSDEEP

    196608:Cb96wXVCm3+6fHi1wQP+8c/aQ2xpRY68QMeXLkXo36:8jE+0wQzlQ2xpRY/Zcuo36

Score
10/10
stormkittyxwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

sQz0RaHau8Jp14Tf

Attributes
  • Install_directory

    %AppData%

  • install_file

    msedge.exe

  • pastebin_url

    https://pastebin.com/raw/bQJb81hE

  • telegram

    https://api.telegram.org/bot7608996644:AAGLvUjQra1pbtl0EeonQB0HIhDkLvQXGHM/sendMessage?chat_id=7750016553

aes.plain
aes.plain
aes.plain

Targets

    • Target

      MoonXCrypter.exe

    • Size

      7.1MB

    • MD5

      8bd4830859e6d4ff593fd12689dd6c5f

    • SHA1

      b32174b222cdd84854838d5b31796d8e05fc430d

    • SHA256

      6bc29cb0c807de07a6d2b753691b03e13cb7b267ba4b24a3de567d65ab955207

    • SHA512

      4546f43380be8e82d21bca9310769a7b18a7c6eac4cb3f2b39435bdf6c418cacb58706bb6db7ba770af54bb4dec5ee99e105528d5c165fad1bb26838532716d2

    • SSDEEP

      98304:6jColtmW0fKeUzknPsi9rWlZroXKeWe54DzqGnl/Vxwt2camJ14lYWVDlx/BDyvq:6Plj0hUi9rWrQboqGnlNrS4lYqXJyi

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      plugins/Cmstp-Bypass.dll

    • Size

      11KB

    • MD5

      cf15259e22b58a0dfd1156ab71cbd690

    • SHA1

      3614f4e469d28d6e65471099e2d45c8e28a7a49e

    • SHA256

      fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

    • SHA512

      7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

    • SSDEEP

      192:KpXpS1QWlPkiqdE7FNNGGO9mWbpGkjgyaYcIW1vr/8TNU7aL7YiLsO08hdW5:Kp5IfL0mWbEkUyaYir/oNJL7KQ

    Score
    1/10
    behavioral3behavioral4

    • Target

      plugins/Crypter.dll

    • Size

      18KB

    • MD5

      e6367d31cf5d16b1439b86ae6b7b31c3

    • SHA1

      f52f1e73614f2cec66dab6af862bdcb5d4d9cf35

    • SHA256

      cc52384910cee944ddbcc575a8e0177bfa6b16e3032438b207797164d5c94b34

    • SHA512

      8bc78a9b62f4226be146144684dc7fcd085bcf4d3d0558cb662aacc143d1438b7454e8ac70ca83ebeedc2a0fcea38ad8e77a5d926a85254b5a7d420a5605538a

    • SSDEEP

      384:nKr81F+CoNFZpeg7qX+mK3sxjt9l/C6I5YxBXWKeVFjyJ:KTvZY4gTPXBojG

    Score
    1/10
    behavioral5behavioral6

    • Target

      plugins/HRDP.dll

    • Size

      1.7MB

    • MD5

      f27b6e8cf5afa8771c679b7a79e11a08

    • SHA1

      6c3fcf45e35aaf6b747f29a06108093c284100da

    • SHA256

      4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

    • SHA512

      0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

    • SSDEEP

      24576:3rKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:WHZ5pdqYH8ia6GcKuR7

    Score
    1/10
    behavioral7behavioral8

    • Target

      plugins/Options.dll

    • Size

      30KB

    • MD5

      97193fc4c016c228ae0535772a01051d

    • SHA1

      f2f6d56d468329b1e9a91a3503376e4a6a4d5541

    • SHA256

      5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

    • SHA512

      9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

    • SSDEEP

      768:ULxkuz7dDWH839iybgkf/sGRNW9S9dhjcI:ULNHqUPbgQsGRNW9S9

    Score
    1/10
    behavioral10behavioral9

    • Target

      plugins/Performance.dll

    • Size

      16KB

    • MD5

      1841c479da7efd24521579053efcf440

    • SHA1

      0aacfd06c7223b988584a381cb10d6c3f462fc6a

    • SHA256

      043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735

    • SHA512

      3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

    • SSDEEP

      384:LtpW2/E3mawGD1XTgOw2QxHN7yVppy6+:JY2ImYRDKHxV

    Score
    1/10
    behavioral11behavioral12

    • Target

      plugins/ProcessManager.dll

    • Size

      19KB

    • MD5

      3d4ec14005a25a4cb05b1aa679cf22bf

    • SHA1

      6f4a827d94ad020bc23fbd04b7d8ca2995267094

    • SHA256

      7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e

    • SHA512

      0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e

    • SSDEEP

      384:2dqZXY/oSd1PTQLvLELadRtZa/rnRvDSQUT5S97/Y5bLOEYQfwrpn45rDhUn1kAO:2dqZXWrQPQQtZqrRrlU+cYv1kAvZc

    Score
    1/10
    behavioral13behavioral14

    • Target

      plugins/Programs.dll

    • Size

      13KB

    • MD5

      a6734a047b0b57055807a4f33a80d4dd

    • SHA1

      0b3a78b2362b0fd3817770fdc6dd070e3305615c

    • SHA256

      953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4

    • SHA512

      7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa

    • SSDEEP

      192:Z3eKcfO/TCOAOG+uCno9SFwN4O4FgkT8zr1P9YD6IW1GX/V3wd0yzSLWVb:8PG/TCXF1SamdnTu5lYTX/NwKyNVb

    Score
    1/10
    behavioral15behavioral16

    • Target

      plugins/Ransomware.dll

    • Size

      20KB

    • MD5

      ccc9ea43ead4aa754b91e2039fe0ac1c

    • SHA1

      f382635559045ac1aeb1368d74e6b5c6e98e6a48

    • SHA256

      14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9

    • SHA512

      5d05254ba5cd7b1967a84d5b0e6fd23c54766474fb8660a001bf3d21a3f5c8c20fcdb830fb8659a90da96655e6ee818ceefb6afa610cc853b7fba84bb9db4413

    • SSDEEP

      384:DVSO27QJHvpebFn0LC9Tk7ff2ji+ZMuqI+sHY4k7E7eEDuQZh:DVm7Q1vpebF0LC9TqH2Mj7qtqg

    Score
    1/10
    behavioral17behavioral18

    • Target

      plugins/Recovery.dll

    • Size

      1.1MB

    • MD5

      776193701a2ed869b5f1b6e71970a0ac

    • SHA1

      2f973458531aaa283cdc835af4e24f5f709cbad1

    • SHA256

      66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303

    • SHA512

      a41f981c861e8d40487a9cd0863f9055165427e10580548e972a47ef47cf3e777aab2df70dc6f464cc3077860e86eda7462e9754f9047a1ecc0ed9721663aeb9

    • SSDEEP

      12288:LaoFeouLUFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1a:pFetLic805jbibGATp/j5T

    Score
    1/10
    behavioral19behavioral20

    • Target

      plugins/RunPE.dll

    • Size

      11KB

    • MD5

      224be01635cff2dca827fbdeaddb983c

    • SHA1

      11fa00c5e172c9cd1c81acaef52934f785f91374

    • SHA256

      7adfe849345edd76aa975b0647fed2ccaa5f4a6aaf7d55f488af939c0dbef153

    • SHA512

      1a4915b7b21e8166a6ddb6460c77e02c306a460c08fc7ee574832b0576c827db343eda9533959298819ee443790769328ad580fc67fe4817110b63d49248c736

    • SSDEEP

      192:vbfqh94qP9XFw3l+JNGGOueq1JtSnIW1fUse2po7SLOYN:vbChWqPj5jJtGUse2poHYN

    Score
    1/10
    behavioral21behavioral22

    • Target

      plugins/ServiceManager.dll

    • Size

      14KB

    • MD5

      2e5f127cb0a69cdd46aa4fd9e603f982

    • SHA1

      994a6ab276c417301ed9208aaaf6719bf9594bc6

    • SHA256

      c552d11db168a4f64db584283a617a6ec51ab6095c20ba4b706c3138beb68a22

    • SHA512

      4455cb3b9d4a9c69abec7180e9a60e16e6be0ae2290f48aa09c5d926370de5512ced4d37b6e6e49515d5f51999211eff6f751c4594db936882fb7f40ee5bf97e

    • SSDEEP

      192:D6FAiNLB2n5QnRBiMcs/XAaICPczrOFsgXTZr106Yq6IW1yShrM7+WAMLuO1Jjm:Ziq5QRBiMn/wpDUtTZ5nYsShY3AgJjm

    Score
    1/10
    behavioral23behavioral24

    • Target

      plugins/StartupManager.dll

    • Size

      188KB

    • MD5

      3d76ef15ab712b93eabd4b68ea0111d5

    • SHA1

      0f309663fae17c4ccae983e1fabb16a1e5f77d9b

    • SHA256

      1802e16379d96021fee05f583633c8091bb669350b7d32064179a8944d45a5a6

    • SHA512

      6c0d0291abb696bee33b6e42392b07028c82bcffc8fb7934ba234f178f011ab14fde38cdccb322c8dba058ae66fc023349de5db1c587d3417709bf263cfd28f3

    • SSDEEP

      3072:7ITmgSRcBHAt+yM1KlUKEHBAnpK37nXnF8KBOQv174Syoh2sKdm/vl7bQcX1Okta:7MmgSRcBHAt+yM1KlU18g1xNYVc

    Score
    1/10
    behavioral25behavioral26

    • Target

      plugins/TCPConnections.dll

    • Size

      16KB

    • MD5

      9cae90969d14ab4d686c56bae19e041e

    • SHA1

      0359e8eeed993bbbc6f141b115bd533eeb52533d

    • SHA256

      27e17a43478448f64107df786a170753dbd116eafca7c027f6d357f11e6a4def

    • SHA512

      04a9dc16299d866af7f56ff2ef355310d9437c909ec0dd3549d2f142e71149b09822106e254970f00801fe2f0df6b6d2670cf6a8256d85cd35b963c028f6202d

    • SSDEEP

      192:VsFaPxrfOKHEWS3/tQ6v/Lvyrq6gNZOtyEox0GTeA19Z/J6IW1Gz/yyY8RKIxLuM:/9GKkWuv/LyvSwyzTeej/Zz/IHUv

    Score
    1/10
    behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Tasks