General
-
Target
MoonXCrypter.zip
-
Size
7.3MB
-
Sample
250128-pxqywa1rfl
-
MD5
e48986430f57e62986375b7ea32dd177
-
SHA1
d6f0e4220c30eee8c0e1ce7634d7e11f39996f6d
-
SHA256
cdc90f38b71f0b982d87b2a911f2c1a2ca9939ec880ecfce7f5e6101669e483f
-
SHA512
f0e40b630ad5b57af27f0e6ad6f67c476ae0101b9b29403f230b03d19c1fa1bbca226cf01c192875696a399b4c4a329de10f19458f2be80027f4217da614fdc4
-
SSDEEP
196608:Cb96wXVCm3+6fHi1wQP+8c/aQ2xpRY68QMeXLkXo36:8jE+0wQzlQ2xpRY/Zcuo36
Malware Config
Extracted
xworm
5.0
sQz0RaHau8Jp14Tf
-
Install_directory
%AppData%
-
install_file
msedge.exe
-
pastebin_url
https://pastebin.com/raw/bQJb81hE
-
telegram
https://api.telegram.org/bot7608996644:AAGLvUjQra1pbtl0EeonQB0HIhDkLvQXGHM/sendMessage?chat_id=7750016553
Targets
-
-
Target
MoonXCrypter.exe
-
Size
7.1MB
-
MD5
8bd4830859e6d4ff593fd12689dd6c5f
-
SHA1
b32174b222cdd84854838d5b31796d8e05fc430d
-
SHA256
6bc29cb0c807de07a6d2b753691b03e13cb7b267ba4b24a3de567d65ab955207
-
SHA512
4546f43380be8e82d21bca9310769a7b18a7c6eac4cb3f2b39435bdf6c418cacb58706bb6db7ba770af54bb4dec5ee99e105528d5c165fad1bb26838532716d2
-
SSDEEP
98304:6jColtmW0fKeUzknPsi9rWlZroXKeWe54DzqGnl/Vxwt2camJ14lYWVDlx/BDyvq:6Plj0hUi9rWrQboqGnlNrS4lYqXJyi
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
plugins/Cmstp-Bypass.dll
-
Size
11KB
-
MD5
cf15259e22b58a0dfd1156ab71cbd690
-
SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e
-
SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b
-
SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38
-
SSDEEP
192:KpXpS1QWlPkiqdE7FNNGGO9mWbpGkjgyaYcIW1vr/8TNU7aL7YiLsO08hdW5:Kp5IfL0mWbEkUyaYir/oNJL7KQ
Score1/10 -
-
-
Target
plugins/Crypter.dll
-
Size
18KB
-
MD5
e6367d31cf5d16b1439b86ae6b7b31c3
-
SHA1
f52f1e73614f2cec66dab6af862bdcb5d4d9cf35
-
SHA256
cc52384910cee944ddbcc575a8e0177bfa6b16e3032438b207797164d5c94b34
-
SHA512
8bc78a9b62f4226be146144684dc7fcd085bcf4d3d0558cb662aacc143d1438b7454e8ac70ca83ebeedc2a0fcea38ad8e77a5d926a85254b5a7d420a5605538a
-
SSDEEP
384:nKr81F+CoNFZpeg7qX+mK3sxjt9l/C6I5YxBXWKeVFjyJ:KTvZY4gTPXBojG
Score1/10 -
-
-
Target
plugins/HRDP.dll
-
Size
1.7MB
-
MD5
f27b6e8cf5afa8771c679b7a79e11a08
-
SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da
-
SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
-
SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33
-
SSDEEP
24576:3rKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:WHZ5pdqYH8ia6GcKuR7
Score1/10 -
-
-
Target
plugins/Options.dll
-
Size
30KB
-
MD5
97193fc4c016c228ae0535772a01051d
-
SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541
-
SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78
-
SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2
-
SSDEEP
768:ULxkuz7dDWH839iybgkf/sGRNW9S9dhjcI:ULNHqUPbgQsGRNW9S9
Score1/10 -
-
-
Target
plugins/Performance.dll
-
Size
16KB
-
MD5
1841c479da7efd24521579053efcf440
-
SHA1
0aacfd06c7223b988584a381cb10d6c3f462fc6a
-
SHA256
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735
-
SHA512
3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487
-
SSDEEP
384:LtpW2/E3mawGD1XTgOw2QxHN7yVppy6+:JY2ImYRDKHxV
Score1/10 -
-
-
Target
plugins/ProcessManager.dll
-
Size
19KB
-
MD5
3d4ec14005a25a4cb05b1aa679cf22bf
-
SHA1
6f4a827d94ad020bc23fbd04b7d8ca2995267094
-
SHA256
7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e
-
SHA512
0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e
-
SSDEEP
384:2dqZXY/oSd1PTQLvLELadRtZa/rnRvDSQUT5S97/Y5bLOEYQfwrpn45rDhUn1kAO:2dqZXWrQPQQtZqrRrlU+cYv1kAvZc
Score1/10 -
-
-
Target
plugins/Programs.dll
-
Size
13KB
-
MD5
a6734a047b0b57055807a4f33a80d4dd
-
SHA1
0b3a78b2362b0fd3817770fdc6dd070e3305615c
-
SHA256
953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4
-
SHA512
7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa
-
SSDEEP
192:Z3eKcfO/TCOAOG+uCno9SFwN4O4FgkT8zr1P9YD6IW1GX/V3wd0yzSLWVb:8PG/TCXF1SamdnTu5lYTX/NwKyNVb
Score1/10 -
-
-
Target
plugins/Ransomware.dll
-
Size
20KB
-
MD5
ccc9ea43ead4aa754b91e2039fe0ac1c
-
SHA1
f382635559045ac1aeb1368d74e6b5c6e98e6a48
-
SHA256
14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9
-
SHA512
5d05254ba5cd7b1967a84d5b0e6fd23c54766474fb8660a001bf3d21a3f5c8c20fcdb830fb8659a90da96655e6ee818ceefb6afa610cc853b7fba84bb9db4413
-
SSDEEP
384:DVSO27QJHvpebFn0LC9Tk7ff2ji+ZMuqI+sHY4k7E7eEDuQZh:DVm7Q1vpebF0LC9TqH2Mj7qtqg
Score1/10 -
-
-
Target
plugins/Recovery.dll
-
Size
1.1MB
-
MD5
776193701a2ed869b5f1b6e71970a0ac
-
SHA1
2f973458531aaa283cdc835af4e24f5f709cbad1
-
SHA256
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
-
SHA512
a41f981c861e8d40487a9cd0863f9055165427e10580548e972a47ef47cf3e777aab2df70dc6f464cc3077860e86eda7462e9754f9047a1ecc0ed9721663aeb9
-
SSDEEP
12288:LaoFeouLUFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1a:pFetLic805jbibGATp/j5T
Score1/10 -
-
-
Target
plugins/RunPE.dll
-
Size
11KB
-
MD5
224be01635cff2dca827fbdeaddb983c
-
SHA1
11fa00c5e172c9cd1c81acaef52934f785f91374
-
SHA256
7adfe849345edd76aa975b0647fed2ccaa5f4a6aaf7d55f488af939c0dbef153
-
SHA512
1a4915b7b21e8166a6ddb6460c77e02c306a460c08fc7ee574832b0576c827db343eda9533959298819ee443790769328ad580fc67fe4817110b63d49248c736
-
SSDEEP
192:vbfqh94qP9XFw3l+JNGGOueq1JtSnIW1fUse2po7SLOYN:vbChWqPj5jJtGUse2poHYN
Score1/10 -
-
-
Target
plugins/ServiceManager.dll
-
Size
14KB
-
MD5
2e5f127cb0a69cdd46aa4fd9e603f982
-
SHA1
994a6ab276c417301ed9208aaaf6719bf9594bc6
-
SHA256
c552d11db168a4f64db584283a617a6ec51ab6095c20ba4b706c3138beb68a22
-
SHA512
4455cb3b9d4a9c69abec7180e9a60e16e6be0ae2290f48aa09c5d926370de5512ced4d37b6e6e49515d5f51999211eff6f751c4594db936882fb7f40ee5bf97e
-
SSDEEP
192:D6FAiNLB2n5QnRBiMcs/XAaICPczrOFsgXTZr106Yq6IW1yShrM7+WAMLuO1Jjm:Ziq5QRBiMn/wpDUtTZ5nYsShY3AgJjm
Score1/10 -
-
-
Target
plugins/StartupManager.dll
-
Size
188KB
-
MD5
3d76ef15ab712b93eabd4b68ea0111d5
-
SHA1
0f309663fae17c4ccae983e1fabb16a1e5f77d9b
-
SHA256
1802e16379d96021fee05f583633c8091bb669350b7d32064179a8944d45a5a6
-
SHA512
6c0d0291abb696bee33b6e42392b07028c82bcffc8fb7934ba234f178f011ab14fde38cdccb322c8dba058ae66fc023349de5db1c587d3417709bf263cfd28f3
-
SSDEEP
3072:7ITmgSRcBHAt+yM1KlUKEHBAnpK37nXnF8KBOQv174Syoh2sKdm/vl7bQcX1Okta:7MmgSRcBHAt+yM1KlU18g1xNYVc
Score1/10 -
-
-
Target
plugins/TCPConnections.dll
-
Size
16KB
-
MD5
9cae90969d14ab4d686c56bae19e041e
-
SHA1
0359e8eeed993bbbc6f141b115bd533eeb52533d
-
SHA256
27e17a43478448f64107df786a170753dbd116eafca7c027f6d357f11e6a4def
-
SHA512
04a9dc16299d866af7f56ff2ef355310d9437c909ec0dd3549d2f142e71149b09822106e254970f00801fe2f0df6b6d2670cf6a8256d85cd35b963c028f6202d
-
SSDEEP
192:VsFaPxrfOKHEWS3/tQ6v/Lvyrq6gNZOtyEox0GTeA19Z/J6IW1Gz/yyY8RKIxLuM:/9GKkWuv/LyvSwyzTeej/Zz/IHUv
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1