Resubmissions

25-01-2024 16:55

240125-ve6t9sbah7 10

25-01-2024 16:54

240125-vekxssbag6 10

General

  • Target

    bondswoofer.zip

  • Size

    21KB

  • Sample

    240125-ve6t9sbah7

  • MD5

    b4c85d93d404345e6dc351c61f74a251

  • SHA1

    964c83fa0df218af152da2b9f73845827cfb5d66

  • SHA256

    c50ed292c51e4e3d3e49903c14ae69615a96de03488804dca59992f9b357df1c

  • SHA512

    bc2f43b97fb0ac1d31140550a6c3a42ad9c56dded5f7f0086e34cda3f81edac1745d5907a4130e0d32c8c2dbdc44b306ec2fd1276c40f10d1096618ce88cf5ad

  • SSDEEP

    384:Ex+ntSN+Y3sv8DIX8mDP17YAwkISjwdbB/gP/YL7kv/UK3xFmY4k9uTPbNdqWtY:EStSN+Y3DIX8mZ7nwIMbBCa7kv/Uqmxq

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

2WgM0rfSwbTr1Dvs

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      bondswoofer.zip

    • Size

      21KB

    • MD5

      b4c85d93d404345e6dc351c61f74a251

    • SHA1

      964c83fa0df218af152da2b9f73845827cfb5d66

    • SHA256

      c50ed292c51e4e3d3e49903c14ae69615a96de03488804dca59992f9b357df1c

    • SHA512

      bc2f43b97fb0ac1d31140550a6c3a42ad9c56dded5f7f0086e34cda3f81edac1745d5907a4130e0d32c8c2dbdc44b306ec2fd1276c40f10d1096618ce88cf5ad

    • SSDEEP

      384:Ex+ntSN+Y3sv8DIX8mDP17YAwkISjwdbB/gP/YL7kv/UK3xFmY4k9uTPbNdqWtY:EStSN+Y3DIX8mZ7nwIMbBCa7kv/Uqmxq

    Score
    10/10
    • Target

      bondswoofer/PLEASE READ.txt

    • Size

      444B

    • MD5

      605d075e77300f41a9726a3315d5b659

    • SHA1

      c31db380729cb94a71bb9495b1308f1fb2c07ad2

    • SHA256

      5d3380780aead158ba1dfd654b609f9a11c1b55ebd281a664457335c4dce0038

    • SHA512

      9d7459e522bd870edc84a28555048d3e9f5687799ec92fc964f7fcd1c76eb787bc1648100a809878f2cd5b37d902df5e92e4807e8a907ce9c917f12d4cf9d00c

    Score
    10/10
    • Target

      bondswoofer/bondswoofer.exe

    • Size

      44KB

    • MD5

      9fa441ec9da9814a95c5fa25ef5fcd8f

    • SHA1

      6cc59b564c6ffcf4379a631539c5473294a181ff

    • SHA256

      a7c62b057fad7ce0cbe7ae7a16ff39d3aa90a07453f2b3d8e082f25d6f0eca36

    • SHA512

      58cae69b7e363056e5a0c825dece8a84c807ae94d0bd9cb7014de7efc7cbbe006409e7428ac36c3a4072693572c679142ce1129725358eb5ff4c93e8a9ef15c0

    • SSDEEP

      768:YDZmd+aZlEI39VqttHf3okU2jCp/lP7X+F+R9pPE576vOChIbWL2h:Y1w+slEI72t/5U2jG/FOF09Rm6vOCqWg

    • Detect Xworm Payload

    • Kinsing

      Kinsing is a loader written in Golang.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks