Overview
overview
10Static
static
1055b3d90596...38.exe
windows7-x64
1055b3d90596...38.exe
windows10-2004-x64
1055bc6e4a24...7e.exe
windows7-x64
855bc6e4a24...7e.exe
windows10-2004-x64
855be056b62...2f.exe
windows7-x64
1055be056b62...2f.exe
windows10-2004-x64
1055c90346c1...7d.exe
windows7-x64
755c90346c1...7d.exe
windows10-2004-x64
755e68f668a...36.exe
windows7-x64
1055e68f668a...36.exe
windows10-2004-x64
105600890872...c9.exe
windows7-x64
15600890872...c9.exe
windows10-2004-x64
1563d48f590...69.exe
windows7-x64
7563d48f590...69.exe
windows10-2004-x64
756583e9f6e...61.exe
windows7-x64
1056583e9f6e...61.exe
windows10-2004-x64
10569bb28f26...62.exe
windows7-x64
7569bb28f26...62.exe
windows10-2004-x64
756a0fe7669...54.exe
windows7-x64
1056a0fe7669...54.exe
windows10-2004-x64
1056bf03053c...ec.exe
windows7-x64
1056bf03053c...ec.exe
windows10-2004-x64
1056f180528b...73.exe
windows7-x64
1056f180528b...73.exe
windows10-2004-x64
105737ca76a6...88.exe
windows7-x64
105737ca76a6...88.exe
windows10-2004-x64
10575bc86968...a1.exe
windows7-x64
7575bc86968...a1.exe
windows10-2004-x64
757d8199712...1f.exe
windows7-x64
1057d8199712...1f.exe
windows10-2004-x64
57f8be0d4c...5a.exe
windows7-x64
1057f8be0d4c...5a.exe
windows10-2004-x64
10General
-
Target
archive_21.zip
-
Size
83.0MB
-
Sample
250322-gxlp6atjw2
-
MD5
eb88c2cbaca3f123bb80df3ea6a9fd82
-
SHA1
d1714a36732725d48af155b99efd295abed292dd
-
SHA256
ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940
-
SHA512
18646f85c902c62b63793930bcf49aea3fd701b28dabbb0b4d220ca46aa60de0a252b3f982a9d8cd6ed2f4184d335bc0ee4b32fbe1cef2307ed4facbff510eef
-
SSDEEP
1572864:ltWgnVZKMBS7hAVnI4A46clWQk3XzXKFFeQzhAVnIioVFORvoz9:ltfzS74Z5l1k3XQz4+nORu9
Behavioral task
behavioral1
Sample
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
55bc6e4a240651d4266ea63bd771337e.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
55bc6e4a240651d4266ea63bd771337e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
55e68f668a9bc6872ae937e6ffb74136.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
55e68f668a9bc6872ae937e6ffb74136.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
Resource
win7-20250207-en
Behavioral task
behavioral14
Sample
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
569bb28f26e0170d21d0f5788a4ee262.exe
Resource
win7-20250207-en
Behavioral task
behavioral18
Sample
569bb28f26e0170d21d0f5788a4ee262.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
56bf03053c6a58211b3bb060862ea7ec.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
56bf03053c6a58211b3bb060862ea7ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
56f180528b74e418299dd53d17305073.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
56f180528b74e418299dd53d17305073.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Resource
win7-20250207-en
Behavioral task
behavioral30
Sample
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
redline
zilop
104.219.239.239:1912
Extracted
quasar
1.4.1
Office04
192.168.56.1:4782
02b4053f-9954-4680-b5cd-1fed101a4503
-
encryption_key
921EF57210F7C5FE87D0198A92C0944F7B58C092
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
digital-powerful.gl.at.ply.gg:53650
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
xworm
5.0
Xyxebet-60479.portmap.host:60479
45.141.27.117:1919
tunhost.duckdns.org:57891
wintun.freemyip.com:57891
87.249.134.68:57891
EnF1R23VZslDnAyL
-
Install_directory
%AppData%
-
install_file
svhost.exe
Extracted
xworm
3.1
82.21.151.21:7000
medicine-sports.gl.at.ply.gg:28097
-
install_file
Mason.exe
Extracted
njrat
0.7d
MyBot
result-disco.gl.at.ply.gg:57385
47ab188f8e85bfa3da03bf64502618f4
-
reg_key
47ab188f8e85bfa3da03bf64502618f4
-
splitter
Y262SUCZ4UJJ
Extracted
umbral
https://discord.com/api/webhooks/1352501372666253334/RsApJsV3k739-Qq7v3VJTDO6NzjEaaTvR8Ch9m0BezHh-GdUpmxieQhUEziDpbbC9HlT
Extracted
nanocore
1.2.2.0
elroithegodofnsppd.duckdns.org:43366
elroithegodofnsppd.ddnsfree.com:43366
4991469e-2d84-4048-8aed-20a53304961e
-
activate_away_mode
false
-
backup_connection_host
elroithegodofnsppd.ddnsfree.com
- backup_dns_server
-
buffer_size
65538
-
build_time
2024-12-06T15:16:37.862063536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
43366
-
default_group
EROI MY GOD
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
4991469e-2d84-4048-8aed-20a53304961e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
elroithegodofnsppd.duckdns.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Targets
-
-
Target
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538.exe
-
Size
300KB
-
MD5
dbbc76e3ba0de89300db081cb3e579af
-
SHA1
c1f4ebe05134b11e53fab95410554725d1959feb
-
SHA256
55b3d9059616b5aefb891d6c73e91acc1479e9b151684a2663ee031c71fb1538
-
SHA512
86555093a16d6dc5342399ae3efee4430eb7e7f5c7a2cbeb428fb5004c9cced28c62f46421c969167a69c204ee201a6c8ee14367a0f24e1c8681efe19b026375
-
SSDEEP
3072:icZqf7D34xp/0+mAGkyYaxQwgrRB1fA0PuTVAtkxzh3R0eqiOL2bBOA:icZqf7DIjnm2lB1fA0GTV8kX8L
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Redline family
-
-
-
Target
55bc6e4a240651d4266ea63bd771337e.exe
-
Size
32KB
-
MD5
55bc6e4a240651d4266ea63bd771337e
-
SHA1
e2ca8413a263c352d7eb32acef7c9e119042b443
-
SHA256
e368b11f01bc7103f378e5b7a17860f285e843ff06dea355e308331b29ac1fae
-
SHA512
e746424667436e4a8f6b690efa6e69df122a2de55ae5161682705cb838210703e28a44c2cfc6eadef005a872a5d025bfbd4587656e2a85830d7826614d057ceb
-
SSDEEP
768:ff7wN9yW3wLceVM4vwjrwsXK18w3ccrfL9ar:8O7x4YH18w3cafRar
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f.exe
-
Size
3.1MB
-
MD5
4e5ef939d2eaac0b886f33cdc6bbe457
-
SHA1
748d293f933dd5d1e5dd11f14cd9c16dbcadb966
-
SHA256
55be056b6277768f3344436f323aca62fe5baaf572f804f9e32e9edc48c4802f
-
SHA512
a03edd8b94da288370aa10660213f6eadaf91a6c026d8f1ea212901a43a5661c16c757348944802de782ba8a56ef2c1eeddf231c896e9c9af5da22a20db83a00
-
SSDEEP
49152:fvbI22SsaNYfdPBldt698dBcjHNpRJ6YbR3LoGd+2THHB72eh2NT:fvk22SsaNYfdPBldt6+dBcjHNpRJ6yO
-
Quasar family
-
Quasar payload
-
-
-
Target
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d.exe
-
Size
3.6MB
-
MD5
3253b2e17495ad4fa33b0caa88defd97
-
SHA1
112eeaa584434e26a2303b9ed654b2d9feabab20
-
SHA256
55c90346c1106def94ce35242b780bd012609ce24c49a356c804a4689701af7d
-
SHA512
e15a08a9a16817699526111907e9b3d9ed437c3d2da7b4a83a54f395cb71403cc6805b415494aa0bd2eb753ce53021ef77e4a1153865339572bd0841aadb1d77
-
SSDEEP
98304:i250LpLG9AVCX9Uv1k24W2xhg+rjTCYSGtS+T7OvTik:i250PVCNUdF4zxhg+HSGQ+3kT
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
55e68f668a9bc6872ae937e6ffb74136.exe
-
Size
2.0MB
-
MD5
55e68f668a9bc6872ae937e6ffb74136
-
SHA1
b5621bc9452e41de3f170a3ab213dbbbca533a34
-
SHA256
7f99f9415b4cfa7a90a6e3f5f623112defe700ae2d33df28ddae4b4b8f0340d9
-
SHA512
73172b78a8a671217c3cc56768c8c630f3a2628e25c42287bddb531ecae8e46e9183273bef075254dab1fbfa8bdcf1f56a6fd0efd81cffb21c18bf3fd8a7cc26
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9.exe
-
Size
1.3MB
-
MD5
c537265e08b74720fcf044daa1921daf
-
SHA1
34aa4e1ea864b660757270648c5e6b34bab51883
-
SHA256
5600890872cfada0e85b0d33ada4d88b2a0c359fb3cc5300d70bb0a1575e19c9
-
SHA512
c19647bb65a0217963630f5fe897930da319976dc58001acaa6cb7f2789289d7aa0978266ff9096b2c615e22653a832c14e6df77b94eabf409a50c5752722bdc
-
SSDEEP
12288:l8nuZfUXSyPhkiVTybU5NXQdERNJ9qMTZLNYX1LeiMoS0u6qzeQDdQquvyza4nQC:lYuxryWePLgUqMFLNYX1QblDdZa0QC
Score1/10 -
-
-
Target
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469.exe
-
Size
12.4MB
-
MD5
597dbb425d3fdbfcd96cfb7f0f447eda
-
SHA1
34f05cd0cdaca3015e2f6e3fd24ef460f1c0c037
-
SHA256
563d48f59066cea184f9ca9c8e116af85f627335f9e38749e10b9f5a8224e469
-
SHA512
75994ed55a09539f556f31442dd7ad838a1484466e2ab396b36d017f8fbc28bd0c052c17c0d74376d4e92837d1a4e6d97ec8190ad6ee0a1f8d5a8d6e6acc63bd
-
SSDEEP
393216:uTmEkeTbTQC4x2FVSRsWBWlBOBum5xo+s:GjTnxVRIFDzoD
Score7/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61.exe
-
Size
305KB
-
MD5
62909f84c54ea6c3dd35c67b0c7e1a41
-
SHA1
1e1a8aaaca779d7e6261c0c81dece9b89a7b3759
-
SHA256
56583e9f6e3105d594f0451658686110a1f68b5fb285057148d1b3c6d087bb61
-
SHA512
48782a36763f3db573c80bd086e6e4f5c8e8aaf61c32b530953ee0ad6f70c00cff04d8c070a3371f9e3f3dd9755d3289c632e52ab999f2be802fc1df45583aa0
-
SSDEEP
6144:YQPKPOeAta8PAe6VlWT8b9hHhr3fbSXoXfE:zSPOhYPVle8/hq
Score10/10-
Modifies WinLogon for persistence
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
569bb28f26e0170d21d0f5788a4ee262.exe
-
Size
2.1MB
-
MD5
569bb28f26e0170d21d0f5788a4ee262
-
SHA1
04740c6f85e9952aace33b43f16567e5b26152a0
-
SHA256
077ff4fd1a42fa755bb31b877c8ff2aea27683b31c65261bfe0d15cff0738934
-
SHA512
58db7e0d56e278801a35e4f762b0bca294f915e7720c039beb6d779d122aa344763bf71bafd698d70f0b217e7bf829b74f94563f56389925cf2a42dd6098cbc2
-
SSDEEP
49152:x/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf:
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54.exe
-
Size
622KB
-
MD5
a1bc8a1b9cfd1ce7f226de09131c4cfc
-
SHA1
6834f014436774bb6d720fffdd2656eb91193918
-
SHA256
56a0fe76690153775e7d0af4698d0ef50c369cf078079269825f53cf2eec5b54
-
SHA512
2c01b40db9a52dd7aaf316e0011d85f7e1484728a6b65139765b7525af665205a2dd1a3fad162fb6b8dc26d69ad4ff92e86908ef072af5440923c7894f1e5ab4
-
SSDEEP
12288:pu5MOiV13I+DRKglWfsnoeWPSRNfcU5C8RMtBmEFPpu353e+dqMX2:pu5MOiX3I+DkSWkno/PSNkxOMHmEFPgS
-
Detect Xworm Payload
-
Nanocore family
-
UAC bypass
-
Xmrig family
-
Xworm family
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext
-
-
-
Target
56bf03053c6a58211b3bb060862ea7ec.exe
-
Size
68KB
-
MD5
56bf03053c6a58211b3bb060862ea7ec
-
SHA1
3c026aec310edda9884a7f744eb869c80163272d
-
SHA256
4c80e87e99e487ffc0f90c9e4fe4aa64475a90ed18c4f4afd51bd3f4a411ed8a
-
SHA512
40a2b58bcf9648eab523056a8505c9069bc50723c670611cecd33e18d2d5367aecab8bf1912c1cccb3ccaf652092533045de16de645f9dd7be13ba6d3a5bfcb3
-
SSDEEP
1536:UuU1cxYgbIk9HMvz2fWY5fbTlkkPal/+F6Q/OEcKHm:Uu5VBAzE5bTlBy8r/OEhm
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
56f180528b74e418299dd53d17305073.exe
-
Size
44KB
-
MD5
56f180528b74e418299dd53d17305073
-
SHA1
2b0e07cca95b2ad12a3a62542d60563fe771d7e5
-
SHA256
f4624b0f6ddcc9063d0860d7f89ce72b65ec788471497cf3ac4e9eec4e9a9971
-
SHA512
da37318c4f3cd4dc636c7fe65f72b8129f8f776cc1b3e968dae5d98fcf9459e146059a8cec04cedb9cfeea8320a17ebef797485f8fac03fc5303e3ac040286c6
-
SSDEEP
768:mb9Am7OYpuHa56hr0ols+qLYMaA+F+t9pfN3ja6iOChbbVL2K:mbOedpu656hrdbeaRFw9Zw6iOCJV5
-
Detect Xworm Payload
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88.exe
-
Size
2.0MB
-
MD5
18df4416b99e38d8f201ffff991464a8
-
SHA1
7607ea4dd4253214604250b52eef2fead9884fcf
-
SHA256
5737ca76a64d47bb4cca4745520c6e536f4b8360502070dfdacbd4ba1bb6ae88
-
SHA512
28917e821c575bc9671987b7b320900b850550a2c6b6a36396c1b21eddd0edaa6531e9f7c6d0185e7feed136eec5077e3afac438375f72ae814980f4c85f3b9f
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
-
-
Target
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1.exe
-
Size
28.9MB
-
MD5
e93ab7d09ceca46c4ecec7ab9a02d387
-
SHA1
79e08d601f9f696bbb6801da6f3523970bebd1e7
-
SHA256
575bc86968dd39f1d1c96d337977010b47d6617890d54c1a0a4d0fee013be6a1
-
SHA512
aecf648eade4d1868180667c94a2b18e5af7808e485a53c77fad13d9ea7efcb74ecfa41592b37c93c1754aacb6946c34bfd2e300c007656f94f42a4870d5200c
-
SSDEEP
786432:4XuCHGJTk6G76kMNr0R7QMMnmAiiqPS3o:5ZPkMYsMMnmAi63o
Score7/10-
Deletes itself
-
Drops startup file
-
-
-
Target
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
-
Size
229KB
-
MD5
a0397395824c0069a98cbe5702f013a1
-
SHA1
730af9f2e0b3458788cca74c595d91fe165dbd49
-
SHA256
57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f
-
SHA512
8ab7f110b9989f24de8a264084c1e933c0b373f3619222c10a56b0ff10df29069d58e9cd847c0f196a6d71f54fbbca2221328d9a7901f4151dc60f887cc3afa1
-
SSDEEP
3072:it4FE9RQOqFdLD8KbgVtn8Mo8G1gVziHzZbIK1YKB/pCAcNqXhwBV3yxSQig8xNV:i8E9U/5bTgVziHzZnSKrCbYMwgba8Vq
Score10/10-
Detect Xworm Payload
-
Modifies security service
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Loads dropped DLL
-
Drops file in System32 directory
-
-
-
Target
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a.exe
-
Size
338KB
-
MD5
5b7ccfca9393b276311cbd13b5267747
-
SHA1
cb246b9d728ebbb150224fd05c7a4cd7a6f25dbb
-
SHA256
57f8be0d4c7021dd7b09ec4eff55e6803ca1f11b7bb4935319b4ee8c70034b5a
-
SHA512
f86d4a976bee24a013c35990650d8f52caa1b340a741529a443578c432f50d52dd6c64738b20e3a2c989bf0969486ba52abbd02026c205a562503dd37d55ccf9
-
SSDEEP
6144:Y5gICebp23YUv+GIIIIIIIhIIIIIIIIIIIIIIIU:Y5g3KCYUQ
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1