Resubmissions

14-03-2024 23:58

240314-3z9ewsdb23 10

14-03-2024 17:20

240314-vwvhkahh9w 10

General

  • Target

    Xworm-V5.6.7z

  • Size

    18.5MB

  • Sample

    240314-3z9ewsdb23

  • MD5

    3b8cdead582e36eeb3b21522dcd6e0c4

  • SHA1

    e0eb4e8716bc450d3676342fb1110cba54269230

  • SHA256

    5173aa253b2d7a82d5ae086379ceb72530eb9ac0e2ec26ef05b173fbf2f7745c

  • SHA512

    993f13ec38ad286b2bfe63717ce56e5887e4fd2c9524ac88c4d4b9c0ba5633002bab6f1f37df0f2568ab17d16e2473bd97a742edc6b38aa078bf2c3999a64162

  • SSDEEP

    393216:uSRufEtT1Vnr2xa3FiPeRnwR1eTxuW7yrEQep/zzsr:uartfga1ibj+JyrPAs

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

K6ApJ9kePy3uingC

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Xworm-V5.6.7z

    • Size

      18.5MB

    • MD5

      3b8cdead582e36eeb3b21522dcd6e0c4

    • SHA1

      e0eb4e8716bc450d3676342fb1110cba54269230

    • SHA256

      5173aa253b2d7a82d5ae086379ceb72530eb9ac0e2ec26ef05b173fbf2f7745c

    • SHA512

      993f13ec38ad286b2bfe63717ce56e5887e4fd2c9524ac88c4d4b9c0ba5633002bab6f1f37df0f2568ab17d16e2473bd97a742edc6b38aa078bf2c3999a64162

    • SSDEEP

      393216:uSRufEtT1Vnr2xa3FiPeRnwR1eTxuW7yrEQep/zzsr:uartfga1ibj+JyrPAs

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

MITRE ATT&CK Enterprise v15

Tasks