Overview

overview

10

Static

static

3

windows.exe

windows7-x64

10

windows.exe

windows10-1703-x64

10

windows.exe

windows10-2004-x64

10

windows.exe

windows11-21h2-x64

10

Resubmissions

08-02-2024 03:17

240208-ds6mzsdhcp 10

08-02-2024 03:05

240208-dlmxascc26 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    windows.exe

  • Size

    332KB

  • Sample

    240208-ds6mzsdhcp

  • MD5

    21b941b814ff8935b0f5b308a8c7ec9c

  • SHA1

    568e4c957b15f002eebb0bb291537e4c36c8f390

  • SHA256

    986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

  • SHA512

    dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18

  • SSDEEP

    6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ

Score
10/10
stormkittyxenarmorxwormcollectionevasionpasswordransomwareratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Targets

    • Target

      windows.exe

    • Size

      332KB

    • MD5

      21b941b814ff8935b0f5b308a8c7ec9c

    • SHA1

      568e4c957b15f002eebb0bb291537e4c36c8f390

    • SHA256

      986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

    • SHA512

      dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18

    • SSDEEP

      6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ

    Score
    10/10
    xenarmorxwormcollectionevasionpasswordransomwareratrecoveryspywarestealertrojanupxstormkitty

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Disables Task Manager via registry modification

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses Microsoft Outlook accounts

      collection

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks