General

  • Target

    sus_protected.exe

  • Size

    105KB

  • Sample

    240315-bveaeafc32

  • MD5

    2bdf24dce352606a0f2242f8270bd824

  • SHA1

    15a49cf15a7145452d4f5a5f4ac473e80fe13af8

  • SHA256

    f730bbdf76ecc7e6a3cbc22516b2f66e6ce1bc0ff79f86fb651a9caa9020dba2

  • SHA512

    2d4ebaa1259204d7ff8ace8d28173b7df2b81bce81fb9d10d2d911488042499c6549c9895f7ff37c51bbd19b465b719a768706b570d1127d1c1e76a04508c348

  • SSDEEP

    3072:A89pI4WuF+2BCyRf2aQw9X/z4bXCTrdft6ozGiXobQzB:AUWXafcw9/z4bi

Malware Config

Extracted

Family

xworm

C2

hai1723rat-60039.portmap.io:60039

Targets

    • Target

      sus_protected.exe

    • Size

      105KB

    • MD5

      2bdf24dce352606a0f2242f8270bd824

    • SHA1

      15a49cf15a7145452d4f5a5f4ac473e80fe13af8

    • SHA256

      f730bbdf76ecc7e6a3cbc22516b2f66e6ce1bc0ff79f86fb651a9caa9020dba2

    • SHA512

      2d4ebaa1259204d7ff8ace8d28173b7df2b81bce81fb9d10d2d911488042499c6549c9895f7ff37c51bbd19b465b719a768706b570d1127d1c1e76a04508c348

    • SSDEEP

      3072:A89pI4WuF+2BCyRf2aQw9X/z4bXCTrdft6ozGiXobQzB:AUWXafcw9/z4bi

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks