xenarmor | 131caa81db3d4289abcead59e78047a30e587b3672269aafbee6c69773f06132

General

Target

Nursultan.exe
Size

336KB
Sample

240222-p9sy1aaa43
MD5

11ea5b76e048445966e926c28a2875c8
SHA1

86cceae0f4107c4a7a4a43cf109b259c6c416083
SHA256

131caa81db3d4289abcead59e78047a30e587b3672269aafbee6c69773f06132
SHA512

50a2df57d0ab34570884ec4b03cb6f76828f7a113712a84908112df31a72d79a80924ccbad0ffbe01125e232ef4d5a57141aee3abe8a4b8abfb24aafef22ce50
SSDEEP

3072:nvrQkJaztJqA3XbmJPO4AfNUyInA/e0dV9O8W4JWGh0hWT:nvr1SJDXbOqip0dV9O8W4w

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

7.tcp.eu.ngrok.io:14058

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  Nursultan.exe
- Size
  
  336KB
- MD5
  
  11ea5b76e048445966e926c28a2875c8
- SHA1
  
  86cceae0f4107c4a7a4a43cf109b259c6c416083
- SHA256
  
  131caa81db3d4289abcead59e78047a30e587b3672269aafbee6c69773f06132
- SHA512
  
  50a2df57d0ab34570884ec4b03cb6f76828f7a113712a84908112df31a72d79a80924ccbad0ffbe01125e232ef4d5a57141aee3abe8a4b8abfb24aafef22ce50
- SSDEEP
  
  3072:nvrQkJaztJqA3XbmJPO4AfNUyInA/e0dV9O8W4JWGh0hWT:nvr1SJDXbOqip0dV9O8W4w
Score

10^/10

xenarmor xworm collection evasion password persistence rat recovery spyware stealer trojan upx
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1