General

  • Target

    684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3.exe

  • Size

    9.7MB

  • Sample

    240408-bzkyracg9v

  • MD5

    4c6db42fb635d9aef809b0617918cedb

  • SHA1

    9a426491d43c8350c29ac9767d99b87319febabb

  • SHA256

    684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3

  • SHA512

    734342a0d76e310be2a43c010885cb097dedbf1cb618a65da514d595461494a53b9cc284835a6fac6dfb476640c4044825028d655b531be8195c11581d47eb1b

  • SSDEEP

    196608:LlFMPfqmsrrk8TUjPVwKrwzV3c3pOVX7TLAHACUG5jV2f:B2erI8g9wZ32pygHAC/J2f

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/rD1sfZTw

Targets

    • Target

      684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3.exe

    • Size

      9.7MB

    • MD5

      4c6db42fb635d9aef809b0617918cedb

    • SHA1

      9a426491d43c8350c29ac9767d99b87319febabb

    • SHA256

      684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3

    • SHA512

      734342a0d76e310be2a43c010885cb097dedbf1cb618a65da514d595461494a53b9cc284835a6fac6dfb476640c4044825028d655b531be8195c11581d47eb1b

    • SSDEEP

      196608:LlFMPfqmsrrk8TUjPVwKrwzV3c3pOVX7TLAHACUG5jV2f:B2erI8g9wZ32pygHAC/J2f

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables containing bas64 encoded gzip files

    • Detects executables packed with unregistered version of .NET Reactor

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks