Overview

overview

10

Static

static

10

system32.exe

windows7-x64

10

system32.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    system32.exe

  • Size

    39KB

  • Sample

    230407-ftxsksac2w

  • MD5

    0b91a67678d1d12445c29e24a4285c83

  • SHA1

    45ae543b41192d69ec7596234944435ae64c8d43

  • SHA256

    20e9aef5dc8b431c1e7e1c93fd0c4173c0bea2965df8226a47d929f273e0a377

  • SHA512

    5dc7a0f897e21a0b9e92e717074782dca8b98d3508684923c7582eb8a995a442501154fa1680c557379abf3b442d9aa5884938225ad567c95e8d085ac5159f62

  • SSDEEP

    768:+e8A4X7P7DHnKPCt/kXF8UjF5Ph9C2w6FOwhDICFHCgcO:FQXXzB1wKUFD9Vw6FOwaMiE

Score
10/10
xenarmorxwormcollectionpasswordpersistenceratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

display-trade.at.ply.gg:25685

Mutex

9ZiSQ5Pyj3yT9BMp

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      system32.exe

    • Size

      39KB

    • MD5

      0b91a67678d1d12445c29e24a4285c83

    • SHA1

      45ae543b41192d69ec7596234944435ae64c8d43

    • SHA256

      20e9aef5dc8b431c1e7e1c93fd0c4173c0bea2965df8226a47d929f273e0a377

    • SHA512

      5dc7a0f897e21a0b9e92e717074782dca8b98d3508684923c7582eb8a995a442501154fa1680c557379abf3b442d9aa5884938225ad567c95e8d085ac5159f62

    • SSDEEP

      768:+e8A4X7P7DHnKPCt/kXF8UjF5Ph9C2w6FOwhDICFHCgcO:FQXXzB1wKUFD9Vw6FOwaMiE

    Score
    10/10
    xwormpersistencerattrojanxenarmorcollectionpasswordrecoveryspywarestealerupx

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks