General
-
Target
sdafsdf.exe
-
Size
62KB
-
Sample
240416-xyzleaac42
-
MD5
5797a6b20156f0a2980d1065da29c0bf
-
SHA1
0ef27e2a5fdf026647861d7a621dfa3724b11a7b
-
SHA256
87d91a5a226ba8b4fc71b6056c6bd5517e658a063ed592ad7b8d0c2023bea832
-
SHA512
43860b663a748e01655ea35aa490148ce2b2e2ed68f65afa6ce5dd35e0f71f9196d6208efd854b70da2c0430212392340eb5cfd12ef60ca411c92fa5998af9a0
-
SSDEEP
1536:kZpWzfo/gqlER4c+HEbsEgrIsHWN6OOJAODK:1zA/gqKR4cRbsZHEOJAkK
Malware Config
Extracted
xworm
s7vety-47274.portmap.host:47274
-
Install_directory
%AppData%
-
install_file
End.exe
Targets
-
-
Target
sdafsdf.exe
-
Size
62KB
-
MD5
5797a6b20156f0a2980d1065da29c0bf
-
SHA1
0ef27e2a5fdf026647861d7a621dfa3724b11a7b
-
SHA256
87d91a5a226ba8b4fc71b6056c6bd5517e658a063ed592ad7b8d0c2023bea832
-
SHA512
43860b663a748e01655ea35aa490148ce2b2e2ed68f65afa6ce5dd35e0f71f9196d6208efd854b70da2c0430212392340eb5cfd12ef60ca411c92fa5998af9a0
-
SSDEEP
1536:kZpWzfo/gqlER4c+HEbsEgrIsHWN6OOJAODK:1zA/gqKR4cRbsZHEOJAkK
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
UAC bypass
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Allows Network login with blank passwords
Allows local user accounts with blank passwords to access device from the network.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Disable or Modify System Firewall
1Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1