General
-
Target
https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html
-
Sample
240414-ljbp9aff54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
5.0
sgC4GcOTq0MyOKDT
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/H3wFXmEi
Targets
-
-
Target
https://www.upload.ee/files/16472471/XWorm_V5.6.rar.html
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty payload
-
AgentTesla payload
-
Modifies Windows Firewall
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1