Overview

overview

10

Static

static

10

0d63eafe7f...99.exe

windows7-x64

8

0d63eafe7f...99.exe

windows10-2004-x64

8

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

1921502319...4.xlam

windows7-x64

10

1921502319...4.xlam

windows10-2004-x64

1

27133b9541...e9.vbs

windows7-x64

8

27133b9541...e9.vbs

windows10-2004-x64

6

304278cfa0...1c.xls

windows7-x64

1

304278cfa0...1c.xls

windows10-2004-x64

1

365771facf...77.exe

windows7-x64

10

365771facf...77.exe

windows10-2004-x64

10

397900307d...0c.lnk

windows7-x64

3

397900307d...0c.lnk

windows10-2004-x64

8

3d390249d9...ab.lnk

windows7-x64

3

3d390249d9...ab.lnk

windows10-2004-x64

8

40e5adc952...73.xls

windows7-x64

1

40e5adc952...73.xls

windows10-2004-x64

1

746afcd799...69.xls

windows7-x64

1

746afcd799...69.xls

windows10-2004-x64

1

85af8304fd...9f.jar

windows7-x64

1

85af8304fd...9f.jar

windows10-2004-x64

7

984646a5a7...41.vbs

windows7-x64

10

984646a5a7...41.vbs

windows10-2004-x64

10

9c33e83331...ce.exe

windows7-x64

10

9c33e83331...ce.exe

windows10-2004-x64

10

9f07c02b13...b4.lnk

windows7-x64

3

9f07c02b13...b4.lnk

windows10-2004-x64

10

c0baec4eb2...f.xlam

windows7-x64

10

c0baec4eb2...f.xlam

windows10-2004-x64

1

Resubmissions

21-06-2024 17:47

240621-wdak4syenc 10

17-06-2024 01:02

240617-bd377swhrc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8ed91c8de844e9e8e083719b6a931516902773a7d7f7d5fccb9874180c9a886c

  • Size

    7.2MB

  • Sample

    240617-bd377swhrc

  • MD5

    89886c2edf05ecf1c7bd699afc33b087

  • SHA1

    0418403f212b5b5f57fec4cbaa37ff12683a4f80

  • SHA256

    8ed91c8de844e9e8e083719b6a931516902773a7d7f7d5fccb9874180c9a886c

  • SHA512

    435d58b0338940eafc3eab050eb20838a0c8abc1d0517da40c8cda1117d0e74e368093f945fdffe6910dfb84175c728be3a5ce3ef32e7735b9f111cc081e3ca3

  • SSDEEP

    196608:mn5gKydXl5j5t4y52QOLX6C4ud1cDFon18Yt3xIrKGq:DrdHVtIQTo1cZo+aBJGq

Score
10/10
adwindagentteslaremcosxwormremotehostdiscoveryexecutionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

yoda2024.sytes.net:43831

Mutex

fWQWs5QfpFj07ys9

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

Version

3.1

C2

june9402xw.duckdns.org:9402

Mutex

TAtfGa9f0WCjVzn6

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

C2

yoda2024.sytes.net:43833

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-N091BG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://149.102.147.106:550/q.jpg

Extracted

Language
hta
Source
URLs
hta.dropper

http://198.23.201.89/warm/wow123.hta

Targets

    • Target

      0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe

    • Size

      824KB

    • MD5

      557d44cc5e33ac15ef0b659e5e58433d

    • SHA1

      389c0e121ee86c95c31915b54489e278a800b76d

    • SHA256

      0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99

    • SHA512

      ed6cfd791b7367f065c4f278d70288961bd01de010648776be6351aec2822b3080b72343cff5a8ab6d73a5131b73a02d03a3274f8b98cdf2433191a50e8596b4

    • SSDEEP

      12288:0Y4eAXsAvV7ihwdVUuRhnMLCke0euDme6ocbosxyc:EeAXsmV7Ywk+n0Cz0sEc0cv

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      ee255bdf426349e1caa8f1b71de9fd22

    • SHA1

      d589773826620046df1d77dd148f819a88dd35ec

    • SHA256

      a45f294137e2b0f6092eee8fdd2e19334f34ff3640d865a810b70f2104e92c21

    • SHA512

      71eeb41b5816b7d0f9517264aaf026da878561b6a222064c8100e47c383de9ac369800b734468322f3a6fc3eedb1a23d3c5ca6874bd7bf84af08f395248872cc

    • SSDEEP

      96:8ePik1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTc4j7J3kWyy/:tPdTJa2roqJyA2EN8diuTJje

    Score
    1/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      dbdbf4017ff91c9de328697b5fd2e10a

    • SHA1

      b597a5e9a8a0b252770933feed51169b5060a09f

    • SHA256

      be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36

    • SHA512

      3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

    • SSDEEP

      96:33YnIxFkDUGZpKSmktse3GpmD8pevbE9cxSgB5PKtAtYE9v5E9KntrmfVEB3YdkS:33YIvGZDdtP8pevbg0PuAYK56NyoIFI

    Score
    3/10
    behavioral5behavioral6

    • Target

      19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlsx

    • Size

      653KB

    • MD5

      ddfba93d516fe962fc785056189afea7

    • SHA1

      65197b03ded95c0664179c1f28637d5799ece267

    • SHA256

      19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984

    • SHA512

      4954799467218948b955697827b98d7b9681b1608bc2472c57fa4c218a6d9f38491b7df10f60e66a69c699c8352d6a0392d059114c0c2be59e6fc254fa1e8b62

    • SSDEEP

      12288:NLnWI4DNnXcSKJ/icWmLyzuCuMeOFC0180gzLuh1Y+5NIj6nSuP3T1sHOGJ65e:F0DNXcX0cWm+zLFWdLcK+TDx3pZs

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9.vbs

    • Size

      150KB

    • MD5

      4986a0bfa6ae968632439e36e76bba38

    • SHA1

      e63b5c00a3dc1211252836437b87817a8ab270fb

    • SHA256

      27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9

    • SHA512

      346c1e13857bda390277152cb0bee0874f61acc06c34f666e26e7450a4d3f88aaab75a345a25bcaf9ca522e51e0a4ed774545f6ae625a803dabe8d7bf7604f09

    • SSDEEP

      1536:jrUd99CObi/SXcfGdaJK6Uo6phGW0/5JJd0Pc1Ug0BjbUZlu9gISsRz:vUdqRJK6l/oc6g0Bjcc

    Score
    8/10

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral10behavioral9

    • Target

      304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c.xls

    • Size

      1.1MB

    • MD5

      1e6c9f990dd7202566b2cba4c001ff0f

    • SHA1

      ff67a2ca8b98bbf075034dc8e7c08c7a4e0e25ea

    • SHA256

      304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c

    • SHA512

      c7e81ce0fe310ac97088ab256af3d3d7e8237b376b3527184a62db12fc9fede04ebf64ffc96651caa1b1c64f407d00dcffa6792c021a9e6b7106963362fe7b9d

    • SSDEEP

      24576:7tzu4Lr5tn0GZ476hEP4da/z9Ji99Ch4XsIvJcV4JshP2AkJ2blC9wEBA:FlFzZ476hEP4E/g9CssNeJauJ2hyBB

    Score
    1/10
    behavioral11behavioral12

    • Target

      365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77.exe

    • Size

      36KB

    • MD5

      8c7a27e350f94889345cefb72d79ff68

    • SHA1

      edafc407ad4dc2e4a66f0259edbb696cd0aca4f5

    • SHA256

      365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77

    • SHA512

      305147d51a2656d51d2c2b1bbb15418774837cf69218e6afbe5a22e17a0686aa63f796d81e054eba599d5f91df4f4dfdc33f5eaba25eba1d9b9a05d224c56076

    • SSDEEP

      768:uoLtt3QI2/yQJVZU1eo8icH+1WbFb9YWIOMhbQLvj:u2b3QI2/yQBIeNicH+1SFb9YWIOMZij

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral13behavioral14

    • Target

      397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c.lnk

    • Size

      21KB

    • MD5

      eaf0d2fbd918a0d2f86d1e99ddb590a1

    • SHA1

      83785e53eff3ca9530d0a25bcadd2ad68e65a211

    • SHA256

      397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c

    • SHA512

      1d265dbaa11e2b50ac9fe53da146ce522f76ccf16fcb969f01ba61ad084a4520a37c70a254f03606633ab9cd129c9383db39d519517af94f1542a8ed1da04d8b

    • SSDEEP

      384:jYteQXSNty2asQw4tgyqh8CJhqbk/0RF+npET8a8TPHr75CrFXgddoM:DptOdS7hzhqbKnAmPpCKn

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral15behavioral16

    • Target

      3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab.lnk

    • Size

      21KB

    • MD5

      4415243fcb9203beae1702aa26910196

    • SHA1

      ebc113a171e9c71cbf632e675f7406df4df1a56a

    • SHA256

      3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab

    • SHA512

      1ab29ca95a4027999b955dceb0a0f8f9150c5ad0648448d9d9d856b65ce371751d02335c8efab0f2b5b19fec25ac34f0b0d78d39230752ad608d0b49961e37c1

    • SSDEEP

      384:Fk3cdmHBOYmMKWSTaYwxEzyj1MjqJ6mEbjYaRe+7zia83XBDCmTMWE0jf0lXiT63:yCmcYmMKFmYvzyiZbsM9FwxGgcUmrr

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673.xlsx

    • Size

      1.3MB

    • MD5

      9b57a1c10146136ab07052d49c75bf76

    • SHA1

      23d56976bbc90ecd3c00581ba7cd379c2b0b6c9c

    • SHA256

      40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673

    • SHA512

      36c6b33d454b3c6a7a4c8f97dbb62ea36a28ec2bfe6f4002a743baea7817cf644fd07dfa1b84a8f5621939e7d25106939fd16c18772a3b968dfbd93d94c62490

    • SSDEEP

      24576:N9vAixudwuVjUzskic7aIPAmH/JeGUwQKI:PvHxIwSIAk

    Score
    1/10
    behavioral19behavioral20

    • Target

      746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069.xls

    • Size

      1.1MB

    • MD5

      55889fbacc64b00d2effbf215bd9b3ec

    • SHA1

      16774debb9af5a3df4f947aacccf3224f6dc3473

    • SHA256

      746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069

    • SHA512

      46bbc23892af173d7e99489a9da4a3a3a6b454ab7bfba2954ea60136971731119cdde1c287f3b15cb63022418824f82fb48e0ec053db3102a73f1fe5e8d6aede

    • SSDEEP

      24576:utzu4Lr5tn0Gi6hEP4da/z9Ji99Ch4XsIvJcFt7RP+T4AWWtzENTN6C:QlFzi6hEP4E/g9CssNL7RPYmT6C

    Score
    1/10
    behavioral21behavioral22

    • Target

      85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f.jar

    • Size

      448KB

    • MD5

      5f44aa92cda88f8b88f783f5ce2df636

    • SHA1

      f791bc786571bfb36e94ed6a293fa22304a5df78

    • SHA256

      85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f

    • SHA512

      446a86271230343e77530136293ff29467d4166f0b812fc6cc99f53a516e492b21f0fe48fdb033f78db8e7a1620c32c00264d995f948f023ea608cdc2ccb5559

    • SSDEEP

      12288:c75igiDyZEO28Cabb5Je8wUYFkGnwce4U:8EyWO28CaRJVwdFk2Yh

    Score
    7/10
    discovery
    behavioral23behavioral24

    • Target

      984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41.vbs

    • Size

      533B

    • MD5

      402691d239f5bfd22b3937d842ab50e5

    • SHA1

      8f4562a7bfbd6d496b48454b595cef058fe1e9ad

    • SHA256

      984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41

    • SHA512

      0f44b1004b20533ddc4edfe59c2278a2954db4022058e49365af65c9fb68ba86cbf0359f31bffc0d65d94dcf15c38e5fe713a1ef5299dc4388ff37045b097abc

    Score
    10/10
    execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral25behavioral26

    • Target

      9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce.exe

    • Size

      34KB

    • MD5

      63e46b6425db8622626f0094a49fc323

    • SHA1

      fedfcddc9659ec171f40661ad7e375af9be071cc

    • SHA256

      9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce

    • SHA512

      7af3aa00041ec7a77abc45624973b24b747539c3fd8ecefbadc0fc7191d7cd18735a7f77b3f55cfa14d702c6c237722662daa5f4dbdece4f442e4bc41443e807

    • SSDEEP

      768:N4fK1pDGkptwyZScCBSUapNgqtRU/kZB+Bcg4tlTF5923UO9hASURJ:NDGkptwyZScCkU4rPUsZIB54HF592kOe

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm
    behavioral27behavioral28

    • Target

      9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk

    • Size

      30KB

    • MD5

      3deb98c1970c8ed0d95086d79e579231

    • SHA1

      bc8b9ae3e0e278c69d100d30333dc380fc7fe57a

    • SHA256

      9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4

    • SHA512

      e25073a88ac942f2aee7f57de6bd51b3b0dbf9caa0c5b569f603315cae5de2ce9308fa974f44b8a24b5cc661f8f152cdfc5ee985f7e388319d2ec4059cc28630

    • SSDEEP

      24:8l/BHYVKVWuMs4ds+/CWLC7SfW8g/kwCYmaHKPeFI:815aTDds7S7gzTmE

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral29behavioral30

    • Target

      c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlsx

    • Size

      652KB

    • MD5

      d32ebf59d912022ad03be9f1a79d1622

    • SHA1

      70e185fcd828497aea47489ebd84feb70ed21983

    • SHA256

      c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef

    • SHA512

      f463d70e2773a9b27c43ff24a2fdfc242e55050ba81ea5af34b9984b8aae7697ce0d38135dfefb507efc89c7ca0aba1b6be7040092dd98ce8811b9ab5bb474a5

    • SSDEEP

      12288:eOnWEibaQbA8GS3zY4uKhbO6ZvRM98HaN6N2hN1JAQYVu5RGE41Gw57bhRw:5vQlcfKhrZvRZa42hNKuHGES/O

    Score
    10/10
    agentteslakeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

3
T1059.001

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

7
T1112

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

System Information Discovery

19
T1082

Query Registry

18
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks

static1

remotehostxwormremcosadwind
Score
10/10

behavioral1

execution
Score
8/10

behavioral2

execution
Score
8/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral8

Score
1/10

behavioral9

Score
8/10

behavioral10

Score
6/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

xwormrattrojan
Score
10/10

behavioral14

xwormrattrojan
Score
10/10

behavioral15

Score
3/10

behavioral16

Score
8/10

behavioral17

Score
3/10

behavioral18

Score
8/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

discovery
Score
7/10

behavioral25

execution
Score
10/10

behavioral26

execution
Score
10/10

behavioral27

xwormrattrojan
Score
10/10

behavioral28

xwormrattrojan
Score
10/10

behavioral29

Score
3/10

behavioral30

execution
Score
10/10

behavioral31

agentteslakeyloggerspywarestealertrojan
Score
10/10

behavioral32

Score
1/10