Resubmissions

25/02/2024, 10:22

240225-mebecsac2x 3

23/02/2024, 18:31

240223-w6jz9afg3w 8

04/08/2023, 03:14

230804-drdktahb84 10

General

  • Target

    NameTag_Mod.dll

  • Size

    65KB

  • Sample

    230804-drdktahb84

  • MD5

    6a8bb5dc6693d1cc59b1354346e14c32

  • SHA1

    353fb6d921da3787dbce66580a569400c00f8d08

  • SHA256

    e38e93ce4d34f2f83b0a07f5ebc7e14e15aad707da51237089c47b68fc5894d1

  • SHA512

    5280cd48079697ee476e55f0a008e5623d50de055b70fb25faf108b9b580fe22dbccb0edb89d5cf52fb540fb2f2b8239b5fcba9c6a3c10c21fabd400842b3809

  • SSDEEP

    1536:jF07uGyNJ9yYvqUGUsg1PDYHYRad1zXlD:xuuTNJCMDON1zVD

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

QzAhoVCMVTYlhtN9

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      NameTag_Mod.dll

    • Size

      65KB

    • MD5

      6a8bb5dc6693d1cc59b1354346e14c32

    • SHA1

      353fb6d921da3787dbce66580a569400c00f8d08

    • SHA256

      e38e93ce4d34f2f83b0a07f5ebc7e14e15aad707da51237089c47b68fc5894d1

    • SHA512

      5280cd48079697ee476e55f0a008e5623d50de055b70fb25faf108b9b580fe22dbccb0edb89d5cf52fb540fb2f2b8239b5fcba9c6a3c10c21fabd400842b3809

    • SSDEEP

      1536:jF07uGyNJ9yYvqUGUsg1PDYHYRad1zXlD:xuuTNJCMDON1zVD

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Disables RegEdit via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks