Overview

overview

10

Static

static

3

Nerestpc/Nerestpc.exe

windows7-x64

10

Nerestpc/Nerestpc.exe

windows10-2004-x64

10

Nerestpc/bin/Adb.dll

ubuntu-24.04-amd64

Nerestpc/b...pi.dll

windows7-x64

3

Nerestpc/b...pi.dll

windows10-2004-x64

3

Nerestpc/b...pi.dll

windows7-x64

3

Nerestpc/b...pi.dll

windows10-2004-x64

3

Nerestpc/bin/adb.exe

windows7-x64

3

Nerestpc/bin/adb.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    6s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nerestpc/Nerestpc.exe

  • Size

    8.8MB

  • MD5

    14862f30b225f2890861a5ad97c44237

  • SHA1

    42d66e64f1f9b67ecd408f9688ad44335cdbef7b

  • SHA256

    00eca4e6f39ba722102f071024c568862dd18e9669f431033576f62b6d847ca2

  • SHA512

    71f7359bb27fa7eae54d72c4cf0c32d07d3b0ee59a1fe913b4fa8ef706758e625f7a5eac670eeef167b6899d6e04fa0ae4933b1af2e09ff735526973c0a13d4b

  • SSDEEP

    196608:GaaKLgaeBMV1x2g5vrPnsvaH7ATG/3lVr99W7SONlmsQa:GangTBMfxXvrPdATGvRLOca

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:62949

pidoras123131-62949.portmap.host:62949
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7812594920:AAF8LiE_BAgLbrCBoONka4W_igE0Wo_lUEg/sendMessage?chat_id=7101392896

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nerestpc\Nerestpc.exe
    "C:\Users\Admin\AppData\Local\Temp\Nerestpc\Nerestpc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Local\Temp\хуйло.exe
      "C:\Users\Admin\AppData\Local\Temp\хуйло.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe
      "C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NerestPCFree 0.32.3.exe
    Filesize

    9.4MB

    MD5

    528865813ccd9f4993ebfaa940ffb508

    SHA1

    489edf8a9b2a3e8e7d9eebec4d1acd776b71e51b

    SHA256

    d873e0097be4144f1b23e3d932587a18d5600d8d64071d53763d27cafe58f8e8

    SHA512

    e6d55a53310640ff42d3bd7c01b1885773b38784e0c954112528dcd59ccbadbe986db95bb6c19b7c32177fa80c62880a5288b761f677510677cc605708fe7b85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\хуйло.exe
    Filesize

    142KB

    MD5

    c4993bc05fff4c6dad5ca8f6a5c4d52e

    SHA1

    2eeb240fda801478a0c5d67d57efedc94652eda8

    SHA256

    2da85c1b6454943af17f82108a5e58832b23c010cb2857bf5a4ddbe6d062a81a

    SHA512

    15772d4f4b9cb221782cf06be592ebc72143ffe62aa7b579828596b75fb99919ab0011e5e5b19d93acdd3ea6837cdfd6650d36fd914d67a6b5715046f94b006a

    Download Submit

  • memory/2624-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2624-1-0x0000000001260000-0x0000000001B36000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2624-5-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2624-16-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2664-17-0x0000000000290000-0x000000000145E000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/2664-18-0x0000000001670000-0x0000000001671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-9-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2704-8-0x0000000001300000-0x000000000132A000-memory.dmp

    Filesize

    168KB

    Download