Resubmissions

28-04-2024 17:54

240428-wgzz6sde3w 10

28-04-2024 10:02

240428-l2r5ysdb35 10

General

  • Target

    8d2faf1c3a857566f516c28da34b9479.exe

  • Size

    627KB

  • Sample

    240428-wgzz6sde3w

  • MD5

    8d2faf1c3a857566f516c28da34b9479

  • SHA1

    6151cc6fe9097e07676b8e7dca4057d4be292f44

  • SHA256

    93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f

  • SHA512

    42c3908b63b7b5960c53b11f34e8b42efa361107491236730d30dc258857006d0e7078d3c529fddbe2c44ffad1fc3ee181de01b51dc2e52e5fc38c43d6672420

  • SSDEEP

    12288:RgKJTegcva42lE21vVHEMsAi17CYcX685uQa5ro+sFUXPhuExaMpxfBJUw/:47a44E29Z1aCYcluI+ft

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

91.92.252.220:7000

41.199.23.195:7000

saveclinetsforme68465454711991.publicvm.com:7000

Mutex

bBT8anvIxhxDFmkf

Attributes
  • Install_directory

    %AppData%

  • install_file

    explorer.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Targets

    • Target

      8d2faf1c3a857566f516c28da34b9479.exe

    • Size

      627KB

    • MD5

      8d2faf1c3a857566f516c28da34b9479

    • SHA1

      6151cc6fe9097e07676b8e7dca4057d4be292f44

    • SHA256

      93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f

    • SHA512

      42c3908b63b7b5960c53b11f34e8b42efa361107491236730d30dc258857006d0e7078d3c529fddbe2c44ffad1fc3ee181de01b51dc2e52e5fc38c43d6672420

    • SSDEEP

      12288:RgKJTegcva42lE21vVHEMsAi17CYcX685uQa5ro+sFUXPhuExaMpxfBJUw/:47a44E29Z1aCYcluI+ft

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks