Resubmissions

22/05/2025, 12:12

250522-pc961stjt7 10

22/05/2025, 12:11

250522-pcnysatjt2 10

20/05/2025, 04:12

250520-eskwysbl9t 10

General

  • Target

    x69.exe

  • Size

    285KB

  • Sample

    250522-pcnysatjt2

  • MD5

    20841606ce69632f258221219aeee09b

  • SHA1

    b72918797186774598792c47b66d5857be59f576

  • SHA256

    1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

  • SHA512

    aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

  • SSDEEP

    6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

Malware Config

Extracted

Family

xworm

Version

3.1

C2

grayhatgroupontop.zapto.org:1177

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7717722960:AAGvuHVf2skcG3rQxo21EcgaQuXDN-eZ9zs/sendMessage?chat_id=6757433004

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Extracted

Family

latentbot

C2

grayhatgroupontop.zapto.org

Targets

    • Target

      x69.exe

    • Size

      285KB

    • MD5

      20841606ce69632f258221219aeee09b

    • SHA1

      b72918797186774598792c47b66d5857be59f576

    • SHA256

      1ca064f8c8eb72cd0cfda466bb582318c93d2856a89bcf323b37d820f05fdc83

    • SHA512

      aa1d6dcc49a66a5cef5fc64cae299c250bb5327d8d2e985db83e568b9d5acdde3b58249797f84fddcabf21210e194fa2ae3ca6b178286a3563d9574937e2b72e

    • SSDEEP

      6144:3RIUGV77XEc5EDEhp19jyVyFSXnIHq1h8tkEsjuIMN9lLk:uUG5oc5EDAU0F+18guI

    • Bdaejec

      Bdaejec is a backdoor written in C++.

    • Bdaejec family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Detects Bdaejec Backdoor.

      Bdaejec is backdoor written in C++.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • Modifies Windows Defender DisableAntiSpyware settings

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Modifies Windows Firewall

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Drops startup file

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies Security services

      Modifies the startup behavior of a security service.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks