General

  • Target

    archive_23.zip

  • Size

    40.4MB

  • Sample

    250322-gxstgatjw7

  • MD5

    7cb3d59cc2424da354398032f22fdb86

  • SHA1

    6237fddf1052309868ad72e6ccac4ebfa1254d2a

  • SHA256

    b9cae0739fc6daee051551b3e1dfabd39db41c2996f3a905254a71def555ba36

  • SHA512

    780799f3abb8a5d169d2e27f2bb083c22d2b0976c1a70f5b3009f5f7d30a265e9d1f7cb63c206a0da0133e33f769b3b6f1a923b40b0e0020b58b2572de2a5589

  • SSDEEP

    786432:BsjaOAUUnp7NRa6ujrcruv248VadijHP2OgyQ37ElCI6u1TGXT:CjoUWzkjrcyWmOzQYlvtGXT

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/DfF7GpwD:123456789

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/DfF7GpwD

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM1MjA1NzMyNDc3NjE5NDA2OA.G42d3M.lPgGGTTkVtqnMENPX_QaLq5UCf1wXmylAYB_Nk

  • server_id

    1352056934202740847

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

xpalhack.ddns.net:107

Mutex

7716eb875d4bae48da108d24c4ab3b3e

Attributes
  • reg_key

    7716eb875d4bae48da108d24c4ab3b3e

  • splitter

    |'|'|

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352346950175031327/zuvca-7DEQWkYkNjPuRnB2ni-m70o0O2RwaCIjQ4ez0DbQuXvfvdl9TeL4VkGVbBj2NE

Extracted

Family

njrat

Botnet

Hacked By HiDDen PerSOn

Mutex

3b21b5f7698774d914e6e65e2cfd9163

Attributes
  • reg_key

    3b21b5f7698774d914e6e65e2cfd9163

Extracted

Family

quasar

Version

1.4.1

Botnet

1

C2

weeks-ranger.gl.at.ply.gg:42339

Mutex

4e2597cd-e816-491b-9d41-58f0cd2d27dd

Attributes
  • encryption_key

    E6C5ACEED74B9D3002C954D5485EC4199651D88E

  • install_name

    NvidiaChip.exe

  • log_directory

    Keylogs

  • reconnect_delay

    3000

  • startup_key

    NvidiaChip

  • subdirectory

    NvidiaClient

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      5f039af1a66a3a9d97e5a98931ecadfa8190980e54a6b78f09df47faa4615d91.exe

    • Size

      7.9MB

    • MD5

      da1364870c95f396ea84ac60afdab146

    • SHA1

      d5e023d34954e0d7e32575cf79049a7c64688456

    • SHA256

      5f039af1a66a3a9d97e5a98931ecadfa8190980e54a6b78f09df47faa4615d91

    • SHA512

      b6a8827705fda917b0ef6297d37979799f7ca29e9236381b57a7f6bd95b7ede836efa8056851f260706796caf3d6b6d910326fbee209aa85ab5986bdb2f9d536

    • SSDEEP

      196608:M9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZB2:MmqbhrEbn87eZsFmq+6

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      5f176e85cdd34cea58805cd7efb202160ffa0f2e5589dd1b024ce9f6e3019429.exe

    • Size

      1.6MB

    • MD5

      1145f23be1c1ceaba1ff7fbe0b80af2b

    • SHA1

      1a379b9c481a57c905908612408d2cef91eba351

    • SHA256

      5f176e85cdd34cea58805cd7efb202160ffa0f2e5589dd1b024ce9f6e3019429

    • SHA512

      b8e6e29725c6bd0badf55a856676671ddd74e8c3ebdd0173e7dab51b408fc38f8268be74c375f400deb343bf3b838677a98b0594479686293fac9634ce89af37

    • SSDEEP

      49152:2q1UW2zC49YXX6O8RsdMWjDwlHxJuOcx1V:2q1K9YXX788M8wlRRcxP

    Score
    3/10
    • Target

      5f59a08b97977550e9802195da378d29eb90021b8759f9e865592f8b50cc51d7.exe

    • Size

      2.0MB

    • MD5

      c440451f4bf1c44f534b537e35944991

    • SHA1

      dabe3ed1eb06f67841a923098985231b9c1daa7b

    • SHA256

      5f59a08b97977550e9802195da378d29eb90021b8759f9e865592f8b50cc51d7

    • SHA512

      b9bd0c732e4c231220a7721374ac2c9ca95b4235bffefbeb085e457a18b3e804883551f062163099f7c9c44fa688d6240d01c3244e57d00d423f596b914c760c

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      5f6bf8650715fe3f914b7e24cf572b85fd753d68054c98c36360b67bfa518add.exe

    • Size

      626KB

    • MD5

      b675f5607efc77d45aac893264dd601c

    • SHA1

      6d6d0a2f7bc9d1df99275894d9e455d70da689d1

    • SHA256

      5f6bf8650715fe3f914b7e24cf572b85fd753d68054c98c36360b67bfa518add

    • SHA512

      5e74b0c975173351c0c9b4cd49283adfd57e38b768dcbf03f82d30c5f9c1ada0b6e70b97d26a6787bd15f43ae802d5b2f4394123bf4445378a7351dd335b5211

    • SSDEEP

      12288:wTAALVma8Vk2WbYq5qL7Lp4SKpRUzfBI4xa7iKX:mVma72z9KY7BID7iK

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      5f7cc3cf60f06f621252e35221b7475f34ca6bf1a570758ef048b4e74b61327b.exe

    • Size

      3.3MB

    • MD5

      a6b4d6ff1ddf9867a5ed814cab2cd7ac

    • SHA1

      2e1da71c8b747181d0876009d4caba1fe336e085

    • SHA256

      5f7cc3cf60f06f621252e35221b7475f34ca6bf1a570758ef048b4e74b61327b

    • SHA512

      17c5f8ce6ed6f2f3519eae5bea4b7cf6fa78575ed3cd1cc09388ebb44d611c0d63535da2f1b7d5e975d03d01525d45b2890bb7f13d53843086a17cf2926bde34

    • SSDEEP

      98304:6RS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/Fauf:6kj8NBFwxpNOuk20auf

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Target

      5f9e5801114ebb85eeb7e7043704cdab.exe

    • Size

      13.1MB

    • MD5

      5f9e5801114ebb85eeb7e7043704cdab

    • SHA1

      386ecdaeccb2f5fa1f41d2ffb21a6c07333b737c

    • SHA256

      6c0a0949de63ddfebedb5432edca535364730f6c28790f457e17a2b78510cab4

    • SHA512

      4f87a796eedc26fabb13d9b34bd76f5520af8367b74b486332c7f377837adda06cb479e67e3e9716e00a7752a5ab47d59e18ebab0898bd0e5e943e1bf1b49bb2

    • SSDEEP

      196608:6d58/BAe1d4ihvy85JSkLmj/yMpoH+VvqlL1kehn4iRAxAnf38:ByISkqj/yMm+VvsRka4iuxKfM

    Score
    1/10
    • Target

      5fb355ac6b26e9e1c1ccd07879918440f4ecd70fb341dafb8419acddbfe0a933.exe

    • Size

      1.1MB

    • MD5

      e19098a4c57ef44739d98eba8287775a

    • SHA1

      7ec472dca2ba9b6c3976f314ba869834d1972d41

    • SHA256

      5fb355ac6b26e9e1c1ccd07879918440f4ecd70fb341dafb8419acddbfe0a933

    • SHA512

      8eb9f5c8bded5f4a7f97f7a415777f1e99dc8c92829ba45f7b55d0677bb271ac8397904944e859cfe30d9fa1cd17ba906e81faecce215409468e83098b31d2cd

    • SSDEEP

      12288:jz7IFjvelQypyfy7z6u7+4DvbMUsIGoY2hn:jz0FfMz6TEbMUskLn

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      5fbe4073ad9c39dd8a8e295e7569d5bc.exe

    • Size

      44KB

    • MD5

      5fbe4073ad9c39dd8a8e295e7569d5bc

    • SHA1

      8b248e389edb3e4aa8badee94860018270dd207b

    • SHA256

      14c2d70a5ee84f4df102ee1c8d8814547cd6f577394ba7187bb20612aca8325d

    • SHA512

      b62ce78d3b24907ad7bd14a1239a0ea7e961bd464c36431f9d2a63fba251c40fd074b9da25f75efa082df0eb93df78042c4f2ab64d83ee44a50609bc2e10c883

    • SSDEEP

      768:N8w8kJep21xEHUPr4cppEckkRvObyC0wPBpi+911wZYBxkD:N8IBEH9ym6hOblnPB59bwax8

    Score
    1/10
    • Target

      6025a03430599ee8e8561987af97f145.exe

    • Size

      78KB

    • MD5

      6025a03430599ee8e8561987af97f145

    • SHA1

      9ab43188bd8054f0bce0891a13b2387a79afc1b3

    • SHA256

      40109b15ee4560f27cafb2329d4301b1c7e752580cc96390c2d335b65f5d57c6

    • SHA512

      d247be89db096e74139333f5157be98801258e7cbee0dbd9d42cc4307a8dcd3f358c58886abb9e33958a1cead3e4c51d2c2a056f224e2235b83197df149f1c7c

    • SSDEEP

      1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC

    • Target

      603d00b49e0ee1b9c5022174ab248b6c.exe

    • Size

      18KB

    • MD5

      603d00b49e0ee1b9c5022174ab248b6c

    • SHA1

      fd93a10b32cced522ca6274f781066a9fab8af17

    • SHA256

      8d19be51751f0c459874ae1dc1be93fb7e667bc916f5b11eeb67943b479cb0e9

    • SHA512

      226f971bb04ba4f0548ad207a308567a5dc7ee1aea5ff933e020e457c38e53a7c8c899e8cd036060c4f1aca7e157c6d076c22422f318cd626b323e558e57f865

    • SSDEEP

      384:6d+cgTYymL0Tybt/yLp3Ejf0TgShmWTkK6aHv+P:qpxwTyBcEjylTA

    Score
    1/10
    • Target

      605e7762c4bed0a303155d062623280ed30b91c4fccd870f34d5dc760c9b610f.exe

    • Size

      2.0MB

    • MD5

      79002fb8b8434e10c9e9e8b5d1594471

    • SHA1

      ad7aaf3b95c639540b27695300f9afe3f0a4c64e

    • SHA256

      605e7762c4bed0a303155d062623280ed30b91c4fccd870f34d5dc760c9b610f

    • SHA512

      9699981d9a72883db3dd0fd73885b21dec065ca2157be465df99b159dca28e346f9ef73f0f154fabe2d4667e6b02e7ae1df58547ed4d15c532bf215bbffc3ad9

    • SSDEEP

      49152:jrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:jdxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      6062c88bd655b72adfaa8b8fb95d56c6.exe

    • Size

      28KB

    • MD5

      6062c88bd655b72adfaa8b8fb95d56c6

    • SHA1

      5bb7960154a50f23da19dae33955daf14b569e65

    • SHA256

      c1c091908a719aca66bb7853c4ac1c39b17ceefa279cb8d1261e70c593fa97e5

    • SHA512

      5f5f38ca0704f5e8029daa56321af9d6e4d2ea4dd086b194aebbbb01a2cb8d8df8e52b90e9781cd1c9f387a561b91a2a6ff7522873051906b66bab3e49a9f90c

    • SSDEEP

      384:2gJGJl7tj1Msagab1h5Vh+2CWmqDebD59ePbGBsbh0w4wlAokw9OhgOL1vYRGOZr:S7nMsanzR+2cqEDveyBKh0p29SgRWM

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      6099cb8be85344f7557b27fba1ae22c1.exe

    • Size

      5.3MB

    • MD5

      6099cb8be85344f7557b27fba1ae22c1

    • SHA1

      5031e7a22b44b1d403840d5bd95a32bab89c813f

    • SHA256

      1a7d2ecce7b2a972ba3ad112bf7e48f44c57ad5f90077c74ded02e2ea43f691d

    • SHA512

      6ab8f7ca055c24e92267bf6f83ea518829e52a44f94f39c13f9d657cf98d5bb5257feeaa84307de9376cdb7cb50d941baef39832eaf31e37ad712a003afa26f3

    • SSDEEP

      98304:FZNVWg4AxEfkzA0ZNVWg4AxEfkzA8ZNVWg4AxEfkzA4ZNVWg4AxEfkzAO:fNsg4AMgAqNsg4AMgASNsg4AMgAuNsgp

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      60cefc41a36bd39b3ed821f809214b23.exe

    • Size

      78KB

    • MD5

      60cefc41a36bd39b3ed821f809214b23

    • SHA1

      f0780b33e30d9fa6d9770d3582d8a89e6768a301

    • SHA256

      cabdfa8ff32894fb52519e370cfba5ac756c32806914f9204ad0956ea656c4b1

    • SHA512

      39a7f50d15e315aa0d7997bd2f42a017e2dfad156c880a114d14625f364445c2ff822be27cc76dd1040d7fd6d2aa22fe2c1b3ae2cfea3d85c47a1a9a6210ebd0

    • SSDEEP

      1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+lPIC:5Zv5PDwbjNrmAE+1IC

    • Target

      612990113a2323e56af3abbbb03e5002.exe

    • Size

      2.0MB

    • MD5

      612990113a2323e56af3abbbb03e5002

    • SHA1

      9f34edf4e0a59efa9f44da074f2a9c09f013bff9

    • SHA256

      c6f13a0bf3c4f3b5f76cb3f74c912b06f2cff22ae079297e863432c3278cd7c7

    • SHA512

      c3efdac615fd521a096259f58e406aff5658b3bbd082abf6fc65e89489c81b58b662654e472bc8dc41dd5b5ae5b031273811a779776a1b93627922e825624ef7

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      61352802789defec49acc018b1d534a0f36ba97c4486876de06fb2d7ff352b33.exe

    • Size

      879KB

    • MD5

      dcb87d6a698acfaa3c8c63e0a7851c48

    • SHA1

      05f6d08e5550ba2d1481e940e38c7cf4703b3292

    • SHA256

      61352802789defec49acc018b1d534a0f36ba97c4486876de06fb2d7ff352b33

    • SHA512

      4f5408d7aeef783e8c3e1ab3f835f2d0c3eb3aa24e542cbb176ad04e24698cd17d1c078d6c564563a1f87aa323998ad7554e7c51576cddf51f9cf3b8a441b754

    • SSDEEP

      6144:1tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rT7D:n6u7+487IFjvelQypyfy7T7D

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

rathackedhacked by hidden person1dcratxwormdiscordratnjratumbralquasar
Score
10/10

behavioral1

Score
7/10

behavioral2

Score
7/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

dcratinfostealerrat
Score
10/10

behavioral7

xwormexecutionpersistencerattrojan
Score
10/10

behavioral8

xwormexecutionpersistencerattrojan
Score
10/10

behavioral9

defense_evasionexecutionspywarestealer
Score
8/10

behavioral10

defense_evasionexecutionspywarestealer
Score
8/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral14

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discordratpersistenceratrootkitstealer
Score
10/10

behavioral18

discordratpersistenceratrootkitstealer
Score
10/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

dcratinfostealerrat
Score
10/10

behavioral22

dcratinfostealerrat
Score
10/10

behavioral23

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral24

defense_evasiondiscoverypersistenceprivilege_escalation
Score
8/10

behavioral25

discoveryexecution
Score
8/10

behavioral26

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral27

discordratpersistenceratrootkitstealer
Score
10/10

behavioral28

discordratpersistenceratrootkitstealer
Score
10/10

behavioral29

dcratinfostealerrat
Score
10/10

behavioral30

dcratinfostealerrat
Score
10/10

behavioral31

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral32

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10