Resubmissions

10-03-2024 06:56

240310-hqlbgseg66 3

10-03-2024 06:22

240310-g4whyaea98 10

General

  • Target

    XWorm V5.3.7z

  • Size

    43.4MB

  • Sample

    240310-g4whyaea98

  • MD5

    d06bfd3b8385b6da7d7cefa963ea7288

  • SHA1

    f97c1cd79b033be1b3487eb25a18a23839c06fcc

  • SHA256

    4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c

  • SHA512

    32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9

  • SSDEEP

    786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot6674855898:AAEqgJIld017FODaGpZtYNQshE6vteMfI6Q/sendMessage?chat_id=6645844086

Targets

    • Target

      XWorm V5.3.7z

    • Size

      43.4MB

    • MD5

      d06bfd3b8385b6da7d7cefa963ea7288

    • SHA1

      f97c1cd79b033be1b3487eb25a18a23839c06fcc

    • SHA256

      4d274a49cb04b5de876fd1c22ef6a42dd1625a33b4c045c207fd1fbc0a8f3b6c

    • SHA512

      32738af730ba3f25637cbe3256f1090bd797eefadf29ff6a09e6d75c90a64f35a5078895fa8b297b85cfaed219904c74d6b9d6ae5ddfe94299be1ebe46ca66a9

    • SSDEEP

      786432:B2fNnRSmGbKu8sHm5R/6MGWgIjvpoURlhWlJzNgeVCWoRLhfl6Bj:B2smu8/v/6xt8Dlh6JzdLoRLP6Bj

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • AgentTesla payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks