General

  • Target

    Client.exe

  • Size

    236KB

  • Sample

    240414-xvvhaabc65

  • MD5

    a028b5632baee59e592ec4b0ffb2e165

  • SHA1

    fecc2f30390246025cb620350c69622fe513fc47

  • SHA256

    e31541442c6ea6b69ac70159e8a532842bbdfe79d3e2acae6cca56a805458e93

  • SHA512

    3559335b7507a119928e533f4b40533fa12a78f18ea47d721e213df9977e74094d72c4ed9d020124a03190d81f036688101a306634bcb00e220644e4b5997d2f

  • SSDEEP

    3072:JjiIp0HJTdBot+Jo8PlHzHtAMZJ/k1TzngKYHOPQzhbawfhPkF2tV4j8:4Ip05roOo8PlzHaMZG1Tz/YuPGbByJj8

Malware Config

Extracted

Family

xworm

C2

php-oman.gl.at.ply.gg:25211

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      Client.exe

    • Size

      236KB

    • MD5

      a028b5632baee59e592ec4b0ffb2e165

    • SHA1

      fecc2f30390246025cb620350c69622fe513fc47

    • SHA256

      e31541442c6ea6b69ac70159e8a532842bbdfe79d3e2acae6cca56a805458e93

    • SHA512

      3559335b7507a119928e533f4b40533fa12a78f18ea47d721e213df9977e74094d72c4ed9d020124a03190d81f036688101a306634bcb00e220644e4b5997d2f

    • SSDEEP

      3072:JjiIp0HJTdBot+Jo8PlHzHtAMZJ/k1TzngKYHOPQzhbawfhPkF2tV4j8:4Ip05roOo8PlzHaMZG1Tz/YuPGbByJj8

    • Detect Neshta payload

    • Detect Xworm Payload

    • Modifies WinLogon for persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Disables Task Manager via registry modification

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks