dcrat

Sharing

Copy URL

Twitter E-mail

General

Target

archive_21.zip
Size

83.0MB
Sample

250322-gxlp6atjw2
MD5

eb88c2cbaca3f123bb80df3ea6a9fd82
SHA1

d1714a36732725d48af155b99efd295abed292dd
SHA256

ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940
SHA512

18646f85c902c62b63793930bcf49aea3fd701b28dabbb0b4d220ca46aa60de0a252b3f982a9d8cd6ed2f4184d335bc0ee4b32fbe1cef2307ed4facbff510eef
SSDEEP

1572864:ltWgnVZKMBS7hAVnI4A46clWQk3XzXKFFeQzhAVnIioVFORvoz9:ltfzS74Z5l1k3XQz4+nORu9

Malware Config

Extracted

Family

redline

Botnet

zilop

104.219.239.239:1912

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

02b4053f-9954-4680-b5cd-1fed101a4503

Attributes

encryption_key
921EF57210F7C5FE87D0198A92C0944F7B58C092
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

digital-powerful.gl.at.ply.gg:53650

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

xworm

Version

5.0

Xyxebet-60479.portmap.host:60479

45.141.27.117:1919

tunhost.duckdns.org:57891

wintun.freemyip.com:57891

87.249.134.68:57891

Mutex

EnF1R23VZslDnAyL

Attributes

Install_directory
%AppData%
install_file
svhost.exe

aes.plain

Extracted

Family

xworm

Version

3.1

82.21.151.21:7000

medicine-sports.gl.at.ply.gg:28097

Attributes

install_file
Mason.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

result-disco.gl.at.ply.gg:57385

Mutex

47ab188f8e85bfa3da03bf64502618f4

Attributes

reg_key
47ab188f8e85bfa3da03bf64502618f4
splitter
Y262SUCZ4UJJ

Extracted

Family

umbral

https://discord.com/api/webhooks/1352501372666253334/RsApJsV3k739-Qq7v3VJTDO6NzjEaaTvR8Ch9m0BezHh-GdUpmxieQhUEziDpbbC9HlT

Extracted

Family

nanocore

Version

1.2.2.0

elroithegodofnsppd.duckdns.org:43366

elroithegodofnsppd.ddnsfree.com:43366

Mutex

4991469e-2d84-4048-8aed-20a53304961e

Attributes

activate_away_mode
false
backup_connection_host
elroithegodofnsppd.ddnsfree.com
backup_dns_server
buffer_size
65538
build_time
2024-12-06T15:16:37.862063536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
43366
default_group
EROI MY GOD
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
4991469e-2d84-4048-8aed-20a53304961e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
elroithegodofnsppd.duckdns.org
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Targets

- Target
  
  55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
- Size
  
  300KB
- MD5
  
  dbbc76e3ba0de89300db081cb3e579af
- SHA1
  
  c1f4ebe05134b11e53fab95410554725d1959feb
- SHA256
  
  55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538
- SHA512
  
  86555093a16d6dc5342399ae3efee4430eb7e7f5c7a2cbeb428fb5004c9cced28c62f46421c969167a69c204ee201a6c8ee14367a0f24e1c8681efe19b026375
- SSDEEP
  
  3072:icZqf7D34xp/0+mAGkyYaxQwgrRB1fA0PuTVAtkxzh3R0eqiOL2bBOA:icZqf7DIjnm2lB1fA0GTV8kX8L
Score

10^/10

redline zilop discovery infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
behavioral1 behavioral2
- Target
  
  55bc6e4a240651d4266ea63bd771337e.exe
- Size
  
  32KB
- MD5
  
  55bc6e4a240651d4266ea63bd771337e
- SHA1
  
  e2ca8413a263c352d7eb32acef7c9e119042b443
- SHA256
  
  e368b11f01bc7103f378e5b7a17860f285e843ff06dea355e308331b29ac1fae
- SHA512
  
  e746424667436e4a8f6b690efa6e69df122a2de55ae5161682705cb838210703e28a44c2cfc6eadef005a872a5d025bfbd4587656e2a85830d7826614d057ceb
- SSDEEP
  
  768:ff7wN9yW3wLceVM4vwjrwsXK18w3ccrfL9ar:8O7x4YH18w3cafRar
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
- Size
  
  3.1MB
- MD5
  
  4e5ef939d2eaac0b886f33cdc6bbe457
- SHA1
  
  748d293f933dd5d1e5dd11f14cd9c16dbcadb966
- SHA256
  
  55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f
- SHA512
  
  a03edd8b94da288370aa10660213f6eadaf91a6c026d8f1ea212901a43a5661c16c757348944802de782ba8a56ef2c1eeddf231c896e9c9af5da22a20db83a00
- SSDEEP
  
  49152:fvbI22SsaNYfdPBldt698dBcjHNpRJ6YbR3LoGd+2THHB72eh2NT:fvk22SsaNYfdPBldt6+dBcjHNpRJ6yO
Score

10^/10

quasar office04 spyware trojan
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
behavioral5 behavioral6
- Target
  
  55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
- Size
  
  3.6MB
- MD5
  
  3253b2e17495ad4fa33b0caa88defd97
- SHA1
  
  112eeaa584434e26a2303b9ed654b2d9feabab20
- SHA256
  
  55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d
- SHA512
  
  e15a08a9a16817699526111907e9b3d9ed437c3d2da7b4a83a54f395cb71403cc6805b415494aa0bd2eb753ce53021ef77e4a1153865339572bd0841aadb1d77
- SSDEEP
  
  98304:i250LpLG9AVCX9Uv1k24W2xhg+rjTCYSGtS+T7OvTik:i250PVCNUdF4zxhg+HSGQ+3kT
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral7 behavioral8
- Target
  
  55e68f668a9bc6872ae937e6ffb74136.exe
- Size
  
  2.0MB
- MD5
  
  55e68f668a9bc6872ae937e6ffb74136
- SHA1
  
  b5621bc9452e41de3f170a3ab213dbbbca533a34
- SHA256
  
  7f99f9415b4cfa7a90a6e3f5f623112defe700ae2d33df28ddae4b4b8f0340d9
- SHA512
  
  73172b78a8a671217c3cc56768c8c630f3a2628e25c42287bddb531ecae8e46e9183273bef075254dab1fbfa8bdcf1f56a6fd0efd81cffb21c18bf3fd8a7cc26
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral10 behavioral9
- Target
  
  5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
- Size
  
  1.3MB
- MD5
  
  c537265e08b74720fcf044daa1921daf
- SHA1
  
  34aa4e1ea864b660757270648c5e6b34bab51883
- SHA256
  
  5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9
- SHA512
  
  c19647bb65a0217963630f5fe897930da319976dc58001acaa6cb7f2789289d7aa0978266ff9096b2c615e22653a832c14e6df77b94eabf409a50c5752722bdc
- SSDEEP
  
  12288:l8nuZfUXSyPhkiVTybU5NXQdERNJ9qMTZLNYX1LeiMoS0u6qzeQDdQquvyza4nQC:lYuxryWePLgUqMFLNYX1QblDdZa0QC
Score

1^/10
behavioral11 behavioral12
- Target
  
  563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
- Size
  
  12.4MB
- MD5
  
  597dbb425d3fdbfcd96cfb7f0f447eda
- SHA1
  
  34f05cd0cdaca3015e2f6e3fd24ef460f1c0c037
- SHA256
  
  563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469
- SHA512
  
  75994ed55a09539f556f31442dd7ad838a1484466e2ab396b36d017f8fbc28bd0c052c17c0d74376d4e92837d1a4e6d97ec8190ad6ee0a1f8d5a8d6e6acc63bd
- SSDEEP
  
  393216:uTmEkeTbTQC4x2FVSRsWBWlBOBum5xo+s:GjTnxVRIFDzoD
Score

7^/10

defense_evasion pyinstaller
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
behavioral13 behavioral14
- Target
  
  56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
- Size
  
  305KB
- MD5
  
  62909f84c54ea6c3dd35c67b0c7e1a41
- SHA1
  
  1e1a8aaaca779d7e6261c0c81dece9b89a7b3759
- SHA256
  
  56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61
- SHA512
  
  48782a36763f3db573c80bd086e6e4f5c8e8aaf61c32b530953ee0ad6f70c00cff04d8c070a3371f9e3f3dd9755d3289c632e52ab999f2be802fc1df45583aa0
- SSDEEP
  
  6144:YQPKPOeAta8PAe6VlWT8b9hHhr3fbSXoXfE:zSPOhYPVle8/hq
Score

10^/10

persistence privilege_escalation
- Modifies WinLogon for persistence
  persistence
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral15 behavioral16
- Target
  
  569bb28f26e0170d21d0f5788a4ee262.exe
- Size
  
  2.1MB
- MD5
  
  569bb28f26e0170d21d0f5788a4ee262
- SHA1
  
  04740c6f85e9952aace33b43f16567e5b26152a0
- SHA256
  
  077ff4fd1a42fa755bb31b877c8ff2aea27683b31c65261bfe0d15cff0738934
- SHA512
  
  58db7e0d56e278801a35e4f762b0bca294f915e7720c039beb6d779d122aa344763bf71bafd698d70f0b217e7bf829b74f94563f56389925cf2a42dd6098cbc2
- SSDEEP
  
  49152:x/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral17 behavioral18
- Target
  
  56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
- Size
  
  622KB
- MD5
  
  a1bc8a1b9cfd1ce7f226de09131c4cfc
- SHA1
  
  6834f014436774bb6d720fffdd2656eb91193918
- SHA256
  
  56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54
- SHA512
  
  2c01b40db9a52dd7aaf316e0011d85f7e1484728a6b65139765b7525af665205a2dd1a3fad162fb6b8dc26d69ad4ff92e86908ef072af5440923c7894f1e5ab4
- SSDEEP
  
  12288:pu5MOiV13I+DRKglWfsnoeWPSRNfcU5C8RMtBmEFPpu353e+dqMX2:pu5MOiX3I+DkSWkno/PSNkxOMHmEFPgS
Score

10^/10

nanocore xmrig xworm defense_evasion discovery execution keylogger miner persistence rat spyware stealer trojan upx
- Detect Xworm Payload
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- UAC bypass
  defense_evasion trojan
- Xmrig family
  xmrig
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19 behavioral20
- Target
  
  56bf03053c6a58211b3bb060862ea7ec.exe
- Size
  
  68KB
- MD5
  
  56bf03053c6a58211b3bb060862ea7ec
- SHA1
  
  3c026aec310edda9884a7f744eb869c80163272d
- SHA256
  
  4c80e87e99e487ffc0f90c9e4fe4aa64475a90ed18c4f4afd51bd3f4a411ed8a
- SHA512
  
  40a2b58bcf9648eab523056a8505c9069bc50723c670611cecd33e18d2d5367aecab8bf1912c1cccb3ccaf652092533045de16de645f9dd7be13ba6d3a5bfcb3
- SSDEEP
  
  1536:UuU1cxYgbIk9HMvz2fWY5fbTlkkPal/+F6Q/OEcKHm:Uu5VBAzE5bTlBy8r/OEhm
Score

10^/10

xworm execution persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral21 behavioral22
- Target
  
  56f180528b74e418299dd53d17305073.exe
- Size
  
  44KB
- MD5
  
  56f180528b74e418299dd53d17305073
- SHA1
  
  2b0e07cca95b2ad12a3a62542d60563fe771d7e5
- SHA256
  
  f4624b0f6ddcc9063d0860d7f89ce72b65ec788471497cf3ac4e9eec4e9a9971
- SHA512
  
  da37318c4f3cd4dc636c7fe65f72b8129f8f776cc1b3e968dae5d98fcf9459e146059a8cec04cedb9cfeea8320a17ebef797485f8fac03fc5303e3ac040286c6
- SSDEEP
  
  768:mb9Am7OYpuHa56hr0ols+qLYMaA+F+t9pfN3ja6iOChbbVL2K:mbOedpu656hrdbeaRFw9Zw6iOCJV5
Score

10^/10

xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral23 behavioral24
- Target
  
  5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
- Size
  
  2.0MB
- MD5
  
  18df4416b99e38d8f201ffff991464a8
- SHA1
  
  7607ea4dd4253214604250b52eef2fead9884fcf
- SHA256
  
  5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88
- SHA512
  
  28917e821c575bc9671987b7b320900b850550a2c6b6a36396c1b21eddd0edaa6531e9f7c6d0185e7feed136eec5077e3afac438375f72ae814980f4c85f3b9f
- SSDEEP
  
  49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score

10^/10

dcrat infostealer rat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
behavioral25 behavioral26
- Target
  
  575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
- Size
  
  28.9MB
- MD5
  
  e93ab7d09ceca46c4ecec7ab9a02d387
- SHA1
  
  79e08d601f9f696bbb6801da6f3523970bebd1e7
- SHA256
  
  575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1
- SHA512
  
  aecf648eade4d1868180667c94a2b18e5af7808e485a53c77fad13d9ea7efcb74ecfa41592b37c93c1754aacb6946c34bfd2e300c007656f94f42a4870d5200c
- SSDEEP
  
  786432:4XuCHGJTk6G76kMNr0R7QMMnmAiiqPS3o:5ZPkMYsMMnmAi63o
Score

7^/10

discovery
- Deletes itself
- Drops startup file
behavioral27 behavioral28
- Target
  
  57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
- Size
  
  229KB
- MD5
  
  a0397395824c0069a98cbe5702f013a1
- SHA1
  
  730af9f2e0b3458788cca74c595d91fe165dbd49
- SHA256
  
  57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f
- SHA512
  
  8ab7f110b9989f24de8a264084c1e933c0b373f3619222c10a56b0ff10df29069d58e9cd847c0f196a6d71f54fbbca2221328d9a7901f4151dc60f887cc3afa1
- SSDEEP
  
  3072:it4FE9RQOqFdLD8KbgVtn8Mo8G1gVziHzZbIK1YKB/pCAcNqXhwBV3yxSQig8xNV:i8E9U/5bTgVziHzZnSKrCbYMwgba8Vq
Score

10^/10

xworm defense_evasion rat trojan
- Detect Xworm Payload
- Modifies security service
  defense_evasion
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Loads dropped DLL
- Drops file in System32 directory
behavioral29 behavioral30
- Target
  
  57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
- Size
  
  338KB
- MD5
  
  5b7ccfca9393b276311cbd13b5267747
- SHA1
  
  cb246b9d728ebbb150224fd05c7a4cd7a6f25dbb
- SHA256
  
  57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a
- SHA512
  
  f86d4a976bee24a013c35990650d8f52caa1b340a741529a443578c432f50d52dd6c64738b20e3a2c989bf0969486ba52abbd02026c205a562503dd37d55ccf9
- SSDEEP
  
  6144:Y5gICebp23YUv+GIIIIIIIhIIIIIIIIIIIIIIIU:Y5g3KCYUQ
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral31 behavioral32