Overview

overview

10

Static

static

3

Vulturi St...��.exe

windows7-x64

10

Vulturi St...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2025, 19:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vulturi Stealer‌.exe

  • Size

    532KB

  • MD5

    e62f8723a8831b750c34e1ec7b24c48e

  • SHA1

    906a94b2d84038a5f236d4b8d8dbccbb1f16dc9c

  • SHA256

    f37e1281da195bfde456802494ecf0b9d7ca54cca6e39bc633cce123a8806357

  • SHA512

    dd452900d3c81c2a72c4f3c33b9dfc967477bf88c27da1a9b492ee76329d22b0e2c94563038cf03837408c2ed34bb1e5c05259f25fd116a227fceb4a1b056ea6

  • SSDEEP

    12288:PG/QZccyiGTWFmphezgoYX8OUE46o+wIg1z6S/qrD:PE9iGgskVYMOm6twIg1mS/I

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer‌.exe
    "C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer‌.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe"
      2⤵
      • Executes dropped EXE
      PID:1712
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1288
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
    • C:\ProgramData\csrss.exe
      "C:\ProgramData\csrss.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\csrss.exe
    Filesize

    30KB

    MD5

    0998890ccf8a3d8702db7a84fe6dd7b3

    SHA1

    18e561e0ef68fb08d8f391eacd45c7d573206b92

    SHA256

    c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220

    SHA512

    8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Vulturi Stealer.exe
    Filesize

    1.2MB

    MD5

    ca294b2f778abc14fef6313b3cea7155

    SHA1

    a7b9f93865aef9d9be61851d94c58d2763770e1a

    SHA256

    e660925a7cbb5b271d569b50285c862e20b5a15c8596b7442ec2a4c29bfcfd4e

    SHA512

    f1b9067598ec12a313ea54b97e5039c530b55e14207f1030babb296ef49bcdc2dfcb68ef97759fb15af057993ecb23e6f7c97beacf7e3b7711c19ee63a8d37f3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f20fd6439cb5c8247992db000836c398

    SHA1

    534e9eb1c3ada744381cf83ab16729b819f10baa

    SHA256

    e493df24371377b340965af83f411307ce65b33dfb052f93584242f2c6c78c24

    SHA512

    2659c4315b179fff57a2c487853c71bfe7b244a979b72097ae5057f26ac2568ab78525f5eaa842bf902e5e5d752082e74b966549327fb5707ce8c8e8ee025e41

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    67KB

    MD5

    50dce71a753bad01a07904f2af283123

    SHA1

    1beab766071ddeff0c8e577c6717debcee0d21e6

    SHA256

    8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3

    SHA512

    7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

    Download Submit

  • memory/1712-22-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1720-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-23-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1720-1-0x00000000008D0000-0x000000000095A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1984-20-0x0000000000880000-0x0000000000898000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2124-21-0x00000000010A0000-0x00000000010AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2436-46-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2436-47-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2852-33-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2852-34-0x0000000002070000-0x0000000002078000-memory.dmp

    Filesize

    32KB

    Download