blankgrabber | 9e532dd2bc349871db31ec7af83a836a9e1c0f76c086d94cce3367497f74a614

General

Target

run.exe
Size

7.0MB
Sample

250301-zafjqs1pw9
MD5

9274e74a255423ad522ca65a24390d8d
SHA1

310f06e5f65997fda3493e4516ba588181652aa9
SHA256

9e532dd2bc349871db31ec7af83a836a9e1c0f76c086d94cce3367497f74a614
SHA512

ee1967ffd6db52f82c9d7ac0bac2f1b701bee80cbf09bb3250cf303f75c33af56f45250678dc6e4424164b712c65d81bd2e51b26319a5cc28bf164b3ff680e0a
SSDEEP

196608:QW00tCWveNTfm/pf+xk4dWRimrbW3jmyF:tCWsy/pWu4kRimrbmye

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:4444

192.168.1.23:4444

178.80.28.70:4444

Attributes

Install_directory
%ProgramData%
install_file
ss.exe

Targets

- Target
  
  run.exe
- Size
  
  7.0MB
- MD5
  
  9274e74a255423ad522ca65a24390d8d
- SHA1
  
  310f06e5f65997fda3493e4516ba588181652aa9
- SHA256
  
  9e532dd2bc349871db31ec7af83a836a9e1c0f76c086d94cce3367497f74a614
- SHA512
  
  ee1967ffd6db52f82c9d7ac0bac2f1b701bee80cbf09bb3250cf303f75c33af56f45250678dc6e4424164b712c65d81bd2e51b26319a5cc28bf164b3ff680e0a
- SSDEEP
  
  196608:QW00tCWveNTfm/pf+xk4dWRimrbW3jmyF:tCWsy/pWu4kRimrbmye
Score

10^/10

xworm defense_evasion discovery execution rat trojan upx
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  defense_evasion
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  �%eK�.pyc
- Size
  
  1KB
- MD5
  
  fabdceae1bbe51435cb471b05668ac06
- SHA1
  
  41e827b5746719f71b03b5c818664bdffd972a2f
- SHA256
  
  5e4751b0b5c8bd41ae9c1bd4959eba0111db6417df76f14534828e8fbaed01ea
- SHA512
  
  58d801c77f439053bcbb33e5459138502cbd53206dc13d2fd3e64794baa1ef2b9bb3df4e781570c6ab412124e49df64c3153d0d03707e06f334414caa9605198
Score

1^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3

T1059

PowerShell

2

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Deletes Windows Defender Definitions

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Enumerates processes with tasklist

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4