General

  • Target

    EZTEAM0.0.7.exe

  • Size

    7.8MB

  • Sample

    240426-pnffsabf73

  • MD5

    79e6e964ad3a7e5b8008dc44553b784c

  • SHA1

    63684848b7c4530aa24c96c6223fddd7e1417702

  • SHA256

    a669abcbdbf3f91fcfdd6cb2d55c9ba68a020c11aaca6ddf0c5bbb5c234ed023

  • SHA512

    7e7d9aa748766b12473b178ee95c728f266e86d14110deaf9eb1937ff5343a0b7aaf0c69388eb4a918a236e19b95a87035b20792e04627ce45c630bd02c45013

  • SSDEEP

    196608:UuUTi2pHbUmUHtahgF8/LQS9fjvSG7LUIGmrl:gwmuahk8/LbxvSG7D1Z

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

    • Target

      EZTEAM0.0.7.exe

    • Size

      7.8MB

    • MD5

      79e6e964ad3a7e5b8008dc44553b784c

    • SHA1

      63684848b7c4530aa24c96c6223fddd7e1417702

    • SHA256

      a669abcbdbf3f91fcfdd6cb2d55c9ba68a020c11aaca6ddf0c5bbb5c234ed023

    • SHA512

      7e7d9aa748766b12473b178ee95c728f266e86d14110deaf9eb1937ff5343a0b7aaf0c69388eb4a918a236e19b95a87035b20792e04627ce45c630bd02c45013

    • SSDEEP

      196608:UuUTi2pHbUmUHtahgF8/LQS9fjvSG7LUIGmrl:gwmuahk8/LbxvSG7D1Z

    • 44Caliber

      An open source infostealer written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks