Overview
overview
10Static
static
100d63eafe7f...99.exe
windows7-x64
80d63eafe7f...99.exe
windows10-2004-x64
8$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
31921502319...4.xlam
windows7-x64
101921502319...4.xlam
windows10-2004-x64
127133b9541...e9.vbs
windows7-x64
827133b9541...e9.vbs
windows10-2004-x64
6304278cfa0...1c.xls
windows7-x64
1304278cfa0...1c.xls
windows10-2004-x64
1365771facf...77.exe
windows7-x64
10365771facf...77.exe
windows10-2004-x64
10397900307d...0c.lnk
windows7-x64
3397900307d...0c.lnk
windows10-2004-x64
83d390249d9...ab.lnk
windows7-x64
33d390249d9...ab.lnk
windows10-2004-x64
840e5adc952...73.xls
windows7-x64
140e5adc952...73.xls
windows10-2004-x64
1746afcd799...69.xls
windows7-x64
1746afcd799...69.xls
windows10-2004-x64
185af8304fd...9f.jar
windows7-x64
185af8304fd...9f.jar
windows10-2004-x64
7984646a5a7...41.vbs
windows7-x64
10984646a5a7...41.vbs
windows10-2004-x64
109c33e83331...ce.exe
windows7-x64
109c33e83331...ce.exe
windows10-2004-x64
109f07c02b13...b4.lnk
windows7-x64
39f07c02b13...b4.lnk
windows10-2004-x64
10c0baec4eb2...f.xlam
windows7-x64
10c0baec4eb2...f.xlam
windows10-2004-x64
1General
-
Target
8ed91c8de844e9e8e083719b6a931516902773a7d7f7d5fccb9874180c9a886c
-
Size
7.2MB
-
Sample
240617-bd377swhrc
-
MD5
89886c2edf05ecf1c7bd699afc33b087
-
SHA1
0418403f212b5b5f57fec4cbaa37ff12683a4f80
-
SHA256
8ed91c8de844e9e8e083719b6a931516902773a7d7f7d5fccb9874180c9a886c
-
SHA512
435d58b0338940eafc3eab050eb20838a0c8abc1d0517da40c8cda1117d0e74e368093f945fdffe6910dfb84175c728be3a5ce3ef32e7735b9f111cc081e3ca3
-
SSDEEP
196608:mn5gKydXl5j5t4y52QOLX6C4ud1cDFon18Yt3xIrKGq:DrdHVtIQTo1cZo+aBJGq
Behavioral task
behavioral1
Sample
0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlam
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlam
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9.vbs
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c.xls
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c.xls
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77.exe
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c.lnk
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c.lnk
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab.lnk
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab.lnk
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673.xls
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673.xls
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069.xls
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069.xls
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f.jar
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f.jar
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41.vbs
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce.exe
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlam
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlam
Resource
win10v2004-20240611-en
Malware Config
Extracted
xworm
5.0
yoda2024.sytes.net:43831
fWQWs5QfpFj07ys9
-
install_file
USB.exe
Extracted
xworm
3.1
june9402xw.duckdns.org:9402
TAtfGa9f0WCjVzn6
-
install_file
USB.exe
Extracted
remcos
RemoteHost
yoda2024.sytes.net:43833
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-N091BG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
http://149.102.147.106:550/q.jpg
Extracted
http://198.23.201.89/warm/wow123.hta
Targets
-
-
Target
0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99.exe
-
Size
824KB
-
MD5
557d44cc5e33ac15ef0b659e5e58433d
-
SHA1
389c0e121ee86c95c31915b54489e278a800b76d
-
SHA256
0d63eafe7f4eebd3b782dd262da6fa3e562c420e0ecfff540ee1a9c5a76b0f99
-
SHA512
ed6cfd791b7367f065c4f278d70288961bd01de010648776be6351aec2822b3080b72343cff5a8ab6d73a5131b73a02d03a3274f8b98cdf2433191a50e8596b4
-
SSDEEP
12288:0Y4eAXsAvV7ihwdVUuRhnMLCke0euDme6ocbosxyc:EeAXsmV7Ywk+n0Cz0sEc0cv
Score8/10-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/BgImage.dll
-
Size
7KB
-
MD5
ee255bdf426349e1caa8f1b71de9fd22
-
SHA1
d589773826620046df1d77dd148f819a88dd35ec
-
SHA256
a45f294137e2b0f6092eee8fdd2e19334f34ff3640d865a810b70f2104e92c21
-
SHA512
71eeb41b5816b7d0f9517264aaf026da878561b6a222064c8100e47c383de9ac369800b734468322f3a6fc3eedb1a23d3c5ca6874bd7bf84af08f395248872cc
-
SSDEEP
96:8ePik1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTc4j7J3kWyy/:tPdTJa2roqJyA2EN8diuTJje
Score1/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
dbdbf4017ff91c9de328697b5fd2e10a
-
SHA1
b597a5e9a8a0b252770933feed51169b5060a09f
-
SHA256
be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36
-
SHA512
3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10
-
SSDEEP
96:33YnIxFkDUGZpKSmktse3GpmD8pevbE9cxSgB5PKtAtYE9v5E9KntrmfVEB3YdkS:33YIvGZDdtP8pevbg0PuAYK56NyoIFI
Score3/10 -
-
-
Target
19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984.xlsx
-
Size
653KB
-
MD5
ddfba93d516fe962fc785056189afea7
-
SHA1
65197b03ded95c0664179c1f28637d5799ece267
-
SHA256
19215023198d9ebe4a626113cc6c001bd4d250ebea69aa25afd483aefd4c0984
-
SHA512
4954799467218948b955697827b98d7b9681b1608bc2472c57fa4c218a6d9f38491b7df10f60e66a69c699c8352d6a0392d059114c0c2be59e6fc254fa1e8b62
-
SSDEEP
12288:NLnWI4DNnXcSKJ/icWmLyzuCuMeOFC0180gzLuh1Y+5NIj6nSuP3T1sHOGJ65e:F0DNXcX0cWm+zLFWdLcK+TDx3pZs
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
-
-
Target
27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9.vbs
-
Size
150KB
-
MD5
4986a0bfa6ae968632439e36e76bba38
-
SHA1
e63b5c00a3dc1211252836437b87817a8ab270fb
-
SHA256
27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9
-
SHA512
346c1e13857bda390277152cb0bee0874f61acc06c34f666e26e7450a4d3f88aaab75a345a25bcaf9ca522e51e0a4ed774545f6ae625a803dabe8d7bf7604f09
-
SSDEEP
1536:jrUd99CObi/SXcfGdaJK6Uo6phGW0/5JJd0Pc1Ug0BjbUZlu9gISsRz:vUdqRJK6l/oc6g0Bjcc
Score8/10-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c.xls
-
Size
1.1MB
-
MD5
1e6c9f990dd7202566b2cba4c001ff0f
-
SHA1
ff67a2ca8b98bbf075034dc8e7c08c7a4e0e25ea
-
SHA256
304278cfa0f9f2e81a48c4f23bcb97920b6263c07484b9a0793c2d1b8c65171c
-
SHA512
c7e81ce0fe310ac97088ab256af3d3d7e8237b376b3527184a62db12fc9fede04ebf64ffc96651caa1b1c64f407d00dcffa6792c021a9e6b7106963362fe7b9d
-
SSDEEP
24576:7tzu4Lr5tn0GZ476hEP4da/z9Ji99Ch4XsIvJcV4JshP2AkJ2blC9wEBA:FlFzZ476hEP4E/g9CssNeJauJ2hyBB
Score1/10 -
-
-
Target
365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77.exe
-
Size
36KB
-
MD5
8c7a27e350f94889345cefb72d79ff68
-
SHA1
edafc407ad4dc2e4a66f0259edbb696cd0aca4f5
-
SHA256
365771facf4476f03189fbace015a962f6fd021650f4ebd61acd0c675bc85b77
-
SHA512
305147d51a2656d51d2c2b1bbb15418774837cf69218e6afbe5a22e17a0686aa63f796d81e054eba599d5f91df4f4dfdc33f5eaba25eba1d9b9a05d224c56076
-
SSDEEP
768:uoLtt3QI2/yQJVZU1eo8icH+1WbFb9YWIOMhbQLvj:u2b3QI2/yQBIeNicH+1SFb9YWIOMZij
-
Detect Xworm Payload
-
-
-
Target
397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c.lnk
-
Size
21KB
-
MD5
eaf0d2fbd918a0d2f86d1e99ddb590a1
-
SHA1
83785e53eff3ca9530d0a25bcadd2ad68e65a211
-
SHA256
397900307dd4900066b97d9cdbf0e4cdaf145572b84293e1e08c2a15e7963a0c
-
SHA512
1d265dbaa11e2b50ac9fe53da146ce522f76ccf16fcb969f01ba61ad084a4520a37c70a254f03606633ab9cd129c9383db39d519517af94f1542a8ed1da04d8b
-
SSDEEP
384:jYteQXSNty2asQw4tgyqh8CJhqbk/0RF+npET8a8TPHr75CrFXgddoM:DptOdS7hzhqbKnAmPpCKn
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab.lnk
-
Size
21KB
-
MD5
4415243fcb9203beae1702aa26910196
-
SHA1
ebc113a171e9c71cbf632e675f7406df4df1a56a
-
SHA256
3d390249d9ba45f8e6198dde8319ee8ccd5b9b23921472095ed453544ca537ab
-
SHA512
1ab29ca95a4027999b955dceb0a0f8f9150c5ad0648448d9d9d856b65ce371751d02335c8efab0f2b5b19fec25ac34f0b0d78d39230752ad608d0b49961e37c1
-
SSDEEP
384:Fk3cdmHBOYmMKWSTaYwxEzyj1MjqJ6mEbjYaRe+7zia83XBDCmTMWE0jf0lXiT63:yCmcYmMKFmYvzyiZbsM9FwxGgcUmrr
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673.xlsx
-
Size
1.3MB
-
MD5
9b57a1c10146136ab07052d49c75bf76
-
SHA1
23d56976bbc90ecd3c00581ba7cd379c2b0b6c9c
-
SHA256
40e5adc952e8c472e083a539cd67ac339132f2e41a2c99dd3083dd720c041673
-
SHA512
36c6b33d454b3c6a7a4c8f97dbb62ea36a28ec2bfe6f4002a743baea7817cf644fd07dfa1b84a8f5621939e7d25106939fd16c18772a3b968dfbd93d94c62490
-
SSDEEP
24576:N9vAixudwuVjUzskic7aIPAmH/JeGUwQKI:PvHxIwSIAk
Score1/10 -
-
-
Target
746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069.xls
-
Size
1.1MB
-
MD5
55889fbacc64b00d2effbf215bd9b3ec
-
SHA1
16774debb9af5a3df4f947aacccf3224f6dc3473
-
SHA256
746afcd79967881e5a7a21ff847a60c9ef6f1c2dbd796b4ad0c16bc85009d069
-
SHA512
46bbc23892af173d7e99489a9da4a3a3a6b454ab7bfba2954ea60136971731119cdde1c287f3b15cb63022418824f82fb48e0ec053db3102a73f1fe5e8d6aede
-
SSDEEP
24576:utzu4Lr5tn0Gi6hEP4da/z9Ji99Ch4XsIvJcFt7RP+T4AWWtzENTN6C:QlFzi6hEP4E/g9CssNL7RPYmT6C
Score1/10 -
-
-
Target
85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f.jar
-
Size
448KB
-
MD5
5f44aa92cda88f8b88f783f5ce2df636
-
SHA1
f791bc786571bfb36e94ed6a293fa22304a5df78
-
SHA256
85af8304fde85bfbd5323012e0f79fab0045a85943454c7757dece03686b049f
-
SHA512
446a86271230343e77530136293ff29467d4166f0b812fc6cc99f53a516e492b21f0fe48fdb033f78db8e7a1620c32c00264d995f948f023ea608cdc2ccb5559
-
SSDEEP
12288:c75igiDyZEO28Cabb5Je8wUYFkGnwce4U:8EyWO28CaRJVwdFk2Yh
Score7/10-
Modifies file permissions
-
-
-
Target
984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41.vbs
-
Size
533B
-
MD5
402691d239f5bfd22b3937d842ab50e5
-
SHA1
8f4562a7bfbd6d496b48454b595cef058fe1e9ad
-
SHA256
984646a5a7686265df256e88616dc046b8daa6fbc1807ae67d2933caf0e6af41
-
SHA512
0f44b1004b20533ddc4edfe59c2278a2954db4022058e49365af65c9fb68ba86cbf0359f31bffc0d65d94dcf15c38e5fe713a1ef5299dc4388ff37045b097abc
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce.exe
-
Size
34KB
-
MD5
63e46b6425db8622626f0094a49fc323
-
SHA1
fedfcddc9659ec171f40661ad7e375af9be071cc
-
SHA256
9c33e83331c4e2e954f355f453bd32add84016d45e6434d568fb56b690de26ce
-
SHA512
7af3aa00041ec7a77abc45624973b24b747539c3fd8ecefbadc0fc7191d7cd18735a7f77b3f55cfa14d702c6c237722662daa5f4dbdece4f442e4bc41443e807
-
SSDEEP
768:N4fK1pDGkptwyZScCBSUapNgqtRU/kZB+Bcg4tlTF5923UO9hASURJ:NDGkptwyZScCkU4rPUsZIB54HF592kOe
-
Detect Xworm Payload
-
-
-
Target
9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4.lnk
-
Size
30KB
-
MD5
3deb98c1970c8ed0d95086d79e579231
-
SHA1
bc8b9ae3e0e278c69d100d30333dc380fc7fe57a
-
SHA256
9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4
-
SHA512
e25073a88ac942f2aee7f57de6bd51b3b0dbf9caa0c5b569f603315cae5de2ce9308fa974f44b8a24b5cc661f8f152cdfc5ee985f7e388319d2ec4059cc28630
-
SSDEEP
24:8l/BHYVKVWuMs4ds+/CWLC7SfW8g/kwCYmaHKPeFI:815aTDds7S7gzTmE
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
-
-
Target
c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef.xlsx
-
Size
652KB
-
MD5
d32ebf59d912022ad03be9f1a79d1622
-
SHA1
70e185fcd828497aea47489ebd84feb70ed21983
-
SHA256
c0baec4eb2deb38c2f86c250a7aae50a417652429439bb5ecce82e8bac6892ef
-
SHA512
f463d70e2773a9b27c43ff24a2fdfc242e55050ba81ea5af34b9984b8aae7697ce0d38135dfefb507efc89c7ca0aba1b6be7040092dd98ce8811b9ab5bb474a5
-
SSDEEP
12288:eOnWEibaQbA8GS3zY4uKhbO6ZvRM98HaN6N2hN1JAQYVu5RGE41Gw57bhRw:5vQlcfKhrZvRZa42hNKuHGES/O
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-