Overview

overview

10

Static

static

10

XWorm_V3.1....1.exe

windows7-x64

10

XWorm_V3.1....1.exe

windows10-2004-x64

10

XWorm_V3.1/crack.exe

windows7-x64

10

XWorm_V3.1/crack.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    files.zip

  • Size

    26.0MB

  • Sample

    230401-za3n9sdh6t

  • MD5

    6a6b53119f5ebcfe8972320273a42a58

  • SHA1

    751f4a806870c7d09fdc7c31145d9b5acb4d3234

  • SHA256

    0fccb88dd106638ef91db078bb6534849cc1b12f68bb1a08a70db89d338a10f0

  • SHA512

    4d14788233ddd645b9d874c0e1b38aa0d94231f6e49a0a2c2238da30ef1b51d2b12475057e2098c02091128cad56ea129ef21ed029be443515ea14e2d13659fd

  • SSDEEP

    786432:X5X23QgeyHQxdT2cqWdmUlzFvXCif1+uHKQhTTPNredaC:pX23QghE98WdmIFSm/oZ

Score
10/10
asyncratredlinestormkittydarkwebdefaultdiscoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6133753310:AAHOsvlWQDP23zggObP6jfcNHkvhUg1zl1k/sendMessage?chat_id=5876226574
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

redline

Botnet

DARKWEB

C2

89.22.234.180:40608

Attributes
  • auth_value

    cf407bc0c9a8384bb62aa110b7844cfe

Targets

    • Target

      XWorm_V3.1/XWorm V3.1.exe

    • Size

      7.2MB

    • MD5

      c0897e921672c2619acc5d9ff1329860

    • SHA1

      683d5c1b0858cd5089e4a60ba344872531584d35

    • SHA256

      607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52

    • SHA512

      696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff

    • SSDEEP

      196608:FLQ6B/XKUDz9NoUXJzUWi7MYjBVvo5/UVC:ZFlaU/9NZXJZinjB9oxgC

    Score
    10/10
    redlinedarkwebdiscoveryinfostealerspywarestealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      XWorm_V3.1/crack.exe

    • Size

      175KB

    • MD5

      d2cc190ae73674db35f0dedfb1b76d0b

    • SHA1

      02cc0edba7f750c8069ded02726adadf8faf5a69

    • SHA256

      e7f0d6d12608ea3a553998fef002ec41d346b29e32634a3279c2e4be10aa9e97

    • SHA512

      45d085308e73554674dcb480d0c37ce289df28f1b04b2e3f6932c112d3a388443d60f9cfbeed9038b2688b858bf1c019591d55ad5f670d998c9d721083da4db0

    • SSDEEP

      3072:Be8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTHwA5E+WpCc:d6ewwIwQJ6vKX0c5MlYZ0b2Q

    Score
    10/10
    asyncratstormkittydefaultratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Async RAT payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks