General

  • Target

    archive_21.zip

  • Size

    83.0MB

  • Sample

    250322-gxlp6atjw2

  • MD5

    eb88c2cbaca3f123bb80df3ea6a9fd82

  • SHA1

    d1714a36732725d48af155b99efd295abed292dd

  • SHA256

    ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940

  • SHA512

    18646f85c902c62b63793930bcf49aea3fd701b28dabbb0b4d220ca46aa60de0a252b3f982a9d8cd6ed2f4184d335bc0ee4b32fbe1cef2307ed4facbff510eef

  • SSDEEP

    1572864:ltWgnVZKMBS7hAVnI4A46clWQk3XzXKFFeQzhAVnIioVFORvoz9:ltfzS74Z5l1k3XQz4+nORu9

Malware Config

Extracted

Family

redline

Botnet

zilop

C2

104.219.239.239:1912

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

Mutex

02b4053f-9954-4680-b5cd-1fed101a4503

Attributes
  • encryption_key

    921EF57210F7C5FE87D0198A92C0944F7B58C092

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

C2

digital-powerful.gl.at.ply.gg:53650

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

xworm

Version

5.0

C2

Xyxebet-60479.portmap.host:60479

45.141.27.117:1919

tunhost.duckdns.org:57891

wintun.freemyip.com:57891

87.249.134.68:57891

Mutex

EnF1R23VZslDnAyL

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

Version

3.1

C2

82.21.151.21:7000

medicine-sports.gl.at.ply.gg:28097

Attributes
  • install_file

    Mason.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

result-disco.gl.at.ply.gg:57385

Mutex

47ab188f8e85bfa3da03bf64502618f4

Attributes
  • reg_key

    47ab188f8e85bfa3da03bf64502618f4

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352501372666253334/RsApJsV3k739-Qq7v3VJTDO6NzjEaaTvR8Ch9m0BezHh-GdUpmxieQhUEziDpbbC9HlT

Extracted

Family

nanocore

Version

1.2.2.0

C2

elroithegodofnsppd.duckdns.org:43366

elroithegodofnsppd.ddnsfree.com:43366

Mutex

4991469e-2d84-4048-8aed-20a53304961e

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    elroithegodofnsppd.ddnsfree.com

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2024-12-06T15:16:37.862063536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    43366

  • default_group

    EROI MY GOD

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    4991469e-2d84-4048-8aed-20a53304961e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    elroithegodofnsppd.duckdns.org

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Targets

    • Target

      55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe

    • Size

      300KB

    • MD5

      dbbc76e3ba0de89300db081cb3e579af

    • SHA1

      c1f4ebe05134b11e53fab95410554725d1959feb

    • SHA256

      55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538

    • SHA512

      86555093a16d6dc5342399ae3efee4430eb7e7f5c7a2cbeb428fb5004c9cced28c62f46421c969167a69c204ee201a6c8ee14367a0f24e1c8681efe19b026375

    • SSDEEP

      3072:icZqf7D34xp/0+mAGkyYaxQwgrRB1fA0PuTVAtkxzh3R0eqiOL2bBOA:icZqf7DIjnm2lB1fA0GTV8kX8L

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Target

      55bc6e4a240651d4266ea63bd771337e.exe

    • Size

      32KB

    • MD5

      55bc6e4a240651d4266ea63bd771337e

    • SHA1

      e2ca8413a263c352d7eb32acef7c9e119042b443

    • SHA256

      e368b11f01bc7103f378e5b7a17860f285e843ff06dea355e308331b29ac1fae

    • SHA512

      e746424667436e4a8f6b690efa6e69df122a2de55ae5161682705cb838210703e28a44c2cfc6eadef005a872a5d025bfbd4587656e2a85830d7826614d057ceb

    • SSDEEP

      768:ff7wN9yW3wLceVM4vwjrwsXK18w3ccrfL9ar:8O7x4YH18w3cafRar

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe

    • Size

      3.1MB

    • MD5

      4e5ef939d2eaac0b886f33cdc6bbe457

    • SHA1

      748d293f933dd5d1e5dd11f14cd9c16dbcadb966

    • SHA256

      55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f

    • SHA512

      a03edd8b94da288370aa10660213f6eadaf91a6c026d8f1ea212901a43a5661c16c757348944802de782ba8a56ef2c1eeddf231c896e9c9af5da22a20db83a00

    • SSDEEP

      49152:fvbI22SsaNYfdPBldt698dBcjHNpRJ6YbR3LoGd+2THHB72eh2NT:fvk22SsaNYfdPBldt6+dBcjHNpRJ6yO

    • Target

      55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe

    • Size

      3.6MB

    • MD5

      3253b2e17495ad4fa33b0caa88defd97

    • SHA1

      112eeaa584434e26a2303b9ed654b2d9feabab20

    • SHA256

      55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d

    • SHA512

      e15a08a9a16817699526111907e9b3d9ed437c3d2da7b4a83a54f395cb71403cc6805b415494aa0bd2eb753ce53021ef77e4a1153865339572bd0841aadb1d77

    • SSDEEP

      98304:i250LpLG9AVCX9Uv1k24W2xhg+rjTCYSGtS+T7OvTik:i250PVCNUdF4zxhg+HSGQ+3kT

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      55e68f668a9bc6872ae937e6ffb74136.exe

    • Size

      2.0MB

    • MD5

      55e68f668a9bc6872ae937e6ffb74136

    • SHA1

      b5621bc9452e41de3f170a3ab213dbbbca533a34

    • SHA256

      7f99f9415b4cfa7a90a6e3f5f623112defe700ae2d33df28ddae4b4b8f0340d9

    • SHA512

      73172b78a8a671217c3cc56768c8c630f3a2628e25c42287bddb531ecae8e46e9183273bef075254dab1fbfa8bdcf1f56a6fd0efd81cffb21c18bf3fd8a7cc26

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe

    • Size

      1.3MB

    • MD5

      c537265e08b74720fcf044daa1921daf

    • SHA1

      34aa4e1ea864b660757270648c5e6b34bab51883

    • SHA256

      5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9

    • SHA512

      c19647bb65a0217963630f5fe897930da319976dc58001acaa6cb7f2789289d7aa0978266ff9096b2c615e22653a832c14e6df77b94eabf409a50c5752722bdc

    • SSDEEP

      12288:l8nuZfUXSyPhkiVTybU5NXQdERNJ9qMTZLNYX1LeiMoS0u6qzeQDdQquvyza4nQC:lYuxryWePLgUqMFLNYX1QblDdZa0QC

    Score
    1/10
    • Target

      563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe

    • Size

      12.4MB

    • MD5

      597dbb425d3fdbfcd96cfb7f0f447eda

    • SHA1

      34f05cd0cdaca3015e2f6e3fd24ef460f1c0c037

    • SHA256

      563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469

    • SHA512

      75994ed55a09539f556f31442dd7ad838a1484466e2ab396b36d017f8fbc28bd0c052c17c0d74376d4e92837d1a4e6d97ec8190ad6ee0a1f8d5a8d6e6acc63bd

    • SSDEEP

      393216:uTmEkeTbTQC4x2FVSRsWBWlBOBum5xo+s:GjTnxVRIFDzoD

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Target

      56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe

    • Size

      305KB

    • MD5

      62909f84c54ea6c3dd35c67b0c7e1a41

    • SHA1

      1e1a8aaaca779d7e6261c0c81dece9b89a7b3759

    • SHA256

      56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61

    • SHA512

      48782a36763f3db573c80bd086e6e4f5c8e8aaf61c32b530953ee0ad6f70c00cff04d8c070a3371f9e3f3dd9755d3289c632e52ab999f2be802fc1df45583aa0

    • SSDEEP

      6144:YQPKPOeAta8PAe6VlWT8b9hHhr3fbSXoXfE:zSPOhYPVle8/hq

    • Modifies WinLogon for persistence

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      569bb28f26e0170d21d0f5788a4ee262.exe

    • Size

      2.1MB

    • MD5

      569bb28f26e0170d21d0f5788a4ee262

    • SHA1

      04740c6f85e9952aace33b43f16567e5b26152a0

    • SHA256

      077ff4fd1a42fa755bb31b877c8ff2aea27683b31c65261bfe0d15cff0738934

    • SHA512

      58db7e0d56e278801a35e4f762b0bca294f915e7720c039beb6d779d122aa344763bf71bafd698d70f0b217e7bf829b74f94563f56389925cf2a42dd6098cbc2

    • SSDEEP

      49152:x/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe

    • Size

      622KB

    • MD5

      a1bc8a1b9cfd1ce7f226de09131c4cfc

    • SHA1

      6834f014436774bb6d720fffdd2656eb91193918

    • SHA256

      56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54

    • SHA512

      2c01b40db9a52dd7aaf316e0011d85f7e1484728a6b65139765b7525af665205a2dd1a3fad162fb6b8dc26d69ad4ff92e86908ef072af5440923c7894f1e5ab4

    • SSDEEP

      12288:pu5MOiV13I+DRKglWfsnoeWPSRNfcU5C8RMtBmEFPpu353e+dqMX2:pu5MOiX3I+DkSWkno/PSNkxOMHmEFPgS

    • Detect Xworm Payload

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Xmrig family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Creates new service(s)

    • Stops running service(s)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      56bf03053c6a58211b3bb060862ea7ec.exe

    • Size

      68KB

    • MD5

      56bf03053c6a58211b3bb060862ea7ec

    • SHA1

      3c026aec310edda9884a7f744eb869c80163272d

    • SHA256

      4c80e87e99e487ffc0f90c9e4fe4aa64475a90ed18c4f4afd51bd3f4a411ed8a

    • SHA512

      40a2b58bcf9648eab523056a8505c9069bc50723c670611cecd33e18d2d5367aecab8bf1912c1cccb3ccaf652092533045de16de645f9dd7be13ba6d3a5bfcb3

    • SSDEEP

      1536:UuU1cxYgbIk9HMvz2fWY5fbTlkkPal/+F6Q/OEcKHm:Uu5VBAzE5bTlBy8r/OEhm

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      56f180528b74e418299dd53d17305073.exe

    • Size

      44KB

    • MD5

      56f180528b74e418299dd53d17305073

    • SHA1

      2b0e07cca95b2ad12a3a62542d60563fe771d7e5

    • SHA256

      f4624b0f6ddcc9063d0860d7f89ce72b65ec788471497cf3ac4e9eec4e9a9971

    • SHA512

      da37318c4f3cd4dc636c7fe65f72b8129f8f776cc1b3e968dae5d98fcf9459e146059a8cec04cedb9cfeea8320a17ebef797485f8fac03fc5303e3ac040286c6

    • SSDEEP

      768:mb9Am7OYpuHa56hr0ols+qLYMaA+F+t9pfN3ja6iOChbbVL2K:mbOedpu656hrdbeaRFw9Zw6iOCJV5

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe

    • Size

      2.0MB

    • MD5

      18df4416b99e38d8f201ffff991464a8

    • SHA1

      7607ea4dd4253214604250b52eef2fead9884fcf

    • SHA256

      5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88

    • SHA512

      28917e821c575bc9671987b7b320900b850550a2c6b6a36396c1b21eddd0edaa6531e9f7c6d0185e7feed136eec5077e3afac438375f72ae814980f4c85f3b9f

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe

    • Size

      28.9MB

    • MD5

      e93ab7d09ceca46c4ecec7ab9a02d387

    • SHA1

      79e08d601f9f696bbb6801da6f3523970bebd1e7

    • SHA256

      575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1

    • SHA512

      aecf648eade4d1868180667c94a2b18e5af7808e485a53c77fad13d9ea7efcb74ecfa41592b37c93c1754aacb6946c34bfd2e300c007656f94f42a4870d5200c

    • SSDEEP

      786432:4XuCHGJTk6G76kMNr0R7QMMnmAiiqPS3o:5ZPkMYsMMnmAi63o

    Score
    7/10
    • Deletes itself

    • Drops startup file

    • Target

      57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe

    • Size

      229KB

    • MD5

      a0397395824c0069a98cbe5702f013a1

    • SHA1

      730af9f2e0b3458788cca74c595d91fe165dbd49

    • SHA256

      57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f

    • SHA512

      8ab7f110b9989f24de8a264084c1e933c0b373f3619222c10a56b0ff10df29069d58e9cd847c0f196a6d71f54fbbca2221328d9a7901f4151dc60f887cc3afa1

    • SSDEEP

      3072:it4FE9RQOqFdLD8KbgVtn8Mo8G1gVziHzZbIK1YKB/pCAcNqXhwBV3yxSQig8xNV:i8E9U/5bTgVziHzZnSKrCbYMwgba8Vq

    • Detect Xworm Payload

    • Modifies security service

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe

    • Size

      338KB

    • MD5

      5b7ccfca9393b276311cbd13b5267747

    • SHA1

      cb246b9d728ebbb150224fd05c7a4cd7a6f25dbb

    • SHA256

      57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a

    • SHA512

      f86d4a976bee24a013c35990650d8f52caa1b340a741529a443578c432f50d52dd6c64738b20e3a2c989bf0969486ba52abbd02026c205a562503dd37d55ccf9

    • SSDEEP

      6144:Y5gICebp23YUv+GIIIIIIIhIIIIIIIIIIIIIIIU:Y5g3KCYUQ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

zilopoffice04ratmybotredlinequasardcratxwormnjratumbral
Score
10/10

behavioral1

redlinezilopdiscoveryinfostealer
Score
10/10

behavioral2

redlinezilopdiscoveryinfostealer
Score
10/10

behavioral3

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral4

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral5

quasaroffice04spywaretrojan
Score
10/10

behavioral6

quasaroffice04spywaretrojan
Score
10/10

behavioral7

discovery
Score
7/10

behavioral8

discovery
Score
7/10

behavioral9

dcratinfostealerrat
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

defense_evasionpyinstaller
Score
7/10

behavioral14

defense_evasionpyinstaller
Score
7/10

behavioral15

persistenceprivilege_escalation
Score
10/10

behavioral16

persistenceprivilege_escalation
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

nanocorexmrigxwormdefense_evasiondiscoveryexecutionkeyloggerminerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral20

nanocorexmrigxwormdefense_evasiondiscoveryexecutionkeyloggerminerpersistenceratspywarestealertrojanupx
Score
10/10

behavioral21

xwormexecutionpersistencerattrojan
Score
10/10

behavioral22

xwormrattrojan
Score
10/10

behavioral23

xwormrattrojan
Score
10/10

behavioral24

xwormrattrojan
Score
10/10

behavioral25

dcratinfostealerrat
Score
10/10

behavioral26

dcratinfostealerrat
Score
10/10

behavioral27

discovery
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

xwormdefense_evasionrattrojan
Score
10/10

behavioral30

xwormdefense_evasionrattrojan
Score
10/10

behavioral31

xwormpersistencerattrojan
Score
10/10

behavioral32

xwormpersistencerattrojan
Score
10/10