Resubmissions

08-02-2024 03:17

240208-ds6mzsdhcp 10

08-02-2024 03:05

240208-dlmxascc26 10

General

  • Target

    windows.exe

  • Size

    332KB

  • Sample

    240208-ds6mzsdhcp

  • MD5

    21b941b814ff8935b0f5b308a8c7ec9c

  • SHA1

    568e4c957b15f002eebb0bb291537e4c36c8f390

  • SHA256

    986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

  • SHA512

    dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18

  • SSDEEP

    6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Targets

    • Target

      windows.exe

    • Size

      332KB

    • MD5

      21b941b814ff8935b0f5b308a8c7ec9c

    • SHA1

      568e4c957b15f002eebb0bb291537e4c36c8f390

    • SHA256

      986f5d92d64819c88ae6b48f2151cc780eb0aabe7d88bd488061f5efc48588fb

    • SHA512

      dc486028a9d29f8e37454b38928222a932134ab2534b8bdf191ddd7e85da4edf39802e21de1af6de061b20a162ac14440d43320f8837f927e8e9ea354567ed18

    • SSDEEP

      6144:rd4bYBotL3mIhs8DyFPd4U1mGvEMdn7Ml/wCmCJ:rd4EBCqL4RpMi9XmCJ

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Disables Task Manager via registry modification

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks