General

  • Target

    Luxury Shield 7.1.zip

  • Size

    10.1MB

  • Sample

    230426-mdd4vsgf74

  • MD5

    07d98b07c257eb1532f80c72f643edee

  • SHA1

    2c5d530de83fd11c60c8d18099fc39ba322ca197

  • SHA256

    79d731ef75cebcd139ee36573f72e103e0d13eccdb60aaa7393fca8966e9eef7

  • SHA512

    572e253dcf88cb4c142e8f7f8c2272bd7afcc3daf200d8a54a1b3d3c3795aea787e1a7c8c54191576e49e2bf7c186415e4dc1b34dae10bdecdc3635d63bfadf2

  • SSDEEP

    196608:nN5Lqm6L7yjyK7nM4TyW0olrgFCV8080JmwFwXp7ADWysN/l53CLU9R:N9KyjfM4VUCJ8rwFq7JysNv9R

Malware Config

Extracted

Family

xworm

C2

ekinox.myftp.biz:3080

Attributes
  • install_file

    USB.exe

Targets

    • Target

      Luxury Shield 7.1/ILMerge.exe

    • Size

      912KB

    • MD5

      35a3dc21f6e0ed6a8423f7455a379f9c

    • SHA1

      631b3d76f02b386e0bac33fa8a0cb464cef984be

    • SHA256

      4a0dac9d63c87b726285cbcab13757db23acb82f29f4bd4806a26997ce11f5f4

    • SHA512

      3abea20d1e5d6083faca67901488d9ce318a4f9929afb1b223a9dcff4fa440408928183aa712e6d0d25dbcea603da31eae09a481641a6bcde9e8eda95e336cfb

    • SSDEEP

      12288:X0zOaLOF4xKbTQ+ZyoMyixinEcD2B7I3x6cDjGCErg1oh:X7dLM9inTxtRa

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Luxury Shield 7.1/Luxury Shield 7.1.exe

    • Size

      10.4MB

    • MD5

      7da08bb44a74d40e588cd8a0200c4917

    • SHA1

      1362eec3dd846d5f99d39e1a8add8e8965447a64

    • SHA256

      7b70dfbab96df3d99b9b5922ad0baeaa3fd6b16774a3e11d783fa67c379368e8

    • SHA512

      d09525c8968390ddcbd81c77c41d58bed992510e14ba6ef1533795c3b4b94c14bca403dd1707b56798e10a89583c2afdc27b910a6b4ce62d0e38fd2b18cb18c7

    • SSDEEP

      196608:YRue0PF8bumHRuyNI+GYpDchQLUGY2xwwxY7pP+mqxMOjakDsYZ:8C8bPgy7MQ7YLwxmP+9xMOWusY

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Luxury Shield 7.1/Pass to use.txt

    • Size

      199B

    • MD5

      e64fa2857632e555cc98d354f727e6b9

    • SHA1

      30a66b75db03413d1f092100088163715f9ca9c1

    • SHA256

      95733b0af4d654870f40c2a2bd64a2f980a4ea377a088599e519238f666a69a0

    • SHA512

      73f942f9f26ca2d641e308828efa940ee19a87c9ce5d9072cb2896a98d1809289e99feffad26fe40e8c597bc120b9a56840e133f7430bace7b23e7e969918c1c

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks