General
-
Target
rvpn-free.exed
-
Size
17.9MB
-
Sample
250223-2gjwvaxmcm
-
MD5
86d4c18ac23bbf695eacd55514623aeb
-
SHA1
e3f3212c120cbc7a3561f216eefe0c23c2da457a
-
SHA256
db82126a67671be3db67ae3b2f871768913d08cb7550f914800dc81e3c4eb992
-
SHA512
e2e824d97065a467bf5415f57b8bbcb9995a63bed275cc7c07f00d541dbf84fed8320845d0f40d6d1e0ba2ebab38fa327eab5856ecd54f033374eb71f2152be8
-
SSDEEP
393216:0cwZqjab4a0ZBo7dgAxMfcw7W0DikbXZf83JAJ+rEQZPMRO:01Zq5nadgAefcB0eqJ85iI/ZPM
Malware Config
Extracted
xworm
5.0
193.161.193.99:42001
WffuRvk4udr8Iu5Q
-
Install_directory
%Temp%
-
install_file
OperationSystem.exe
Extracted
orcus
Clients
147.185.221.26
Z;within-contacted.gl.at.ply.gg
37cf7f6922de40718f2a88aa515cd89b
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
02/23/2025 14:15:01
-
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwA1AGIANQA1ADkAZQBiAGIAMQAzADYANAA4ADcANwBhADYANQA2AGEAZgAwAGIAOABjADAANAAwADUAYgA4AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDQAMgA3AGUAMAAwAGUAZgA1ADYAYQAzADQAYgAyAGIAYQBlADgANgBmADEAMgAzADIAZgBiAGIANwAyAGEAYQABAAAEBA==
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Targets
-
-
Target
rvpn-free.exed
-
Size
17.9MB
-
MD5
86d4c18ac23bbf695eacd55514623aeb
-
SHA1
e3f3212c120cbc7a3561f216eefe0c23c2da457a
-
SHA256
db82126a67671be3db67ae3b2f871768913d08cb7550f914800dc81e3c4eb992
-
SHA512
e2e824d97065a467bf5415f57b8bbcb9995a63bed275cc7c07f00d541dbf84fed8320845d0f40d6d1e0ba2ebab38fa327eab5856ecd54f033374eb71f2152be8
-
SSDEEP
393216:0cwZqjab4a0ZBo7dgAxMfcw7W0DikbXZf83JAJ+rEQZPMRO:01Zq5nadgAefcB0eqJ85iI/ZPM
Score10/10-
Deletes Windows Defender Definitions
Uses mpcmdrun utility to delete all AV definitions.
-
Detect Xworm Payload
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1