General

  • Target

    TS-240402-UF1.exe

  • Size

    266KB

  • Sample

    240402-wxnl3she48

  • MD5

    b6025357a4307501d65a2a989d8857cd

  • SHA1

    0cf8b11e59b95e53e98a70753100cc7e0650eb16

  • SHA256

    e9221099bc03b023dc78d936917224fbd287e48a3d9af940fdfb983fa20699b4

  • SHA512

    9a40f5fb878fee67d21ecde2c39df99b752cd4704e14344d82671996dfce5571fd48fc61832c838453013532775aad8071a9d353dea39cfad65b34a80e95e97d

  • SSDEEP

    3072:Z6zXpB76ecJuG7qnBnZ1a+Cs9a7tDYwXLW1ADwJbIifwHqDSIbciWszURuFS9yA/:Yr6ebGUFha7tIADybIifwxmU6qnD9p

Malware Config

Extracted

Family

xworm

Version

5.0

C2

103.10.69.73:7000

Mutex

oLq3CUBoyGamKNDd

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      TS-240402-UF1.exe

    • Size

      266KB

    • MD5

      b6025357a4307501d65a2a989d8857cd

    • SHA1

      0cf8b11e59b95e53e98a70753100cc7e0650eb16

    • SHA256

      e9221099bc03b023dc78d936917224fbd287e48a3d9af940fdfb983fa20699b4

    • SHA512

      9a40f5fb878fee67d21ecde2c39df99b752cd4704e14344d82671996dfce5571fd48fc61832c838453013532775aad8071a9d353dea39cfad65b34a80e95e97d

    • SSDEEP

      3072:Z6zXpB76ecJuG7qnBnZ1a+Cs9a7tDYwXLW1ADwJbIifwHqDSIbciWszURuFS9yA/:Yr6ebGUFha7tIADybIifwxmU6qnD9p

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks