Resubmissions

29-05-2024 15:18

240529-spknnsac5y 10

29-04-2024 13:18

240429-qkd9zsbg9t 10

General

  • Target

    Output.exe

  • Size

    16.0MB

  • Sample

    240429-qkd9zsbg9t

  • MD5

    1e0ddb44c2bb2d9940651433eb92c86d

  • SHA1

    7760a9728ccfdd144734d989cf9c6fdcaebb259f

  • SHA256

    e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181

  • SHA512

    ae3aa92c417bce571d78ce886c2bb8d13927ee0d0a6c8a814025f785a19093adec1530ec357b03e94078ee2610ba862e322e9119835f9b7063bb40698bf47d8b

  • SSDEEP

    393216:pbymzsEp/VTTuTP4xhWRmQzQ3kwb9KmgwnqzKu8O+S1yjg/t:p2+sW/ZTujt9zQUwb93uAbE

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Gorillatag client.exe

Targets

    • Target

      Output.exe

    • Size

      16.0MB

    • MD5

      1e0ddb44c2bb2d9940651433eb92c86d

    • SHA1

      7760a9728ccfdd144734d989cf9c6fdcaebb259f

    • SHA256

      e64455f4b8e898c1ebaf666344c0608bb344ca101126f543484ce2fc93cdc181

    • SHA512

      ae3aa92c417bce571d78ce886c2bb8d13927ee0d0a6c8a814025f785a19093adec1530ec357b03e94078ee2610ba862e322e9119835f9b7063bb40698bf47d8b

    • SSDEEP

      393216:pbymzsEp/VTTuTP4xhWRmQzQ3kwb9KmgwnqzKu8O+S1yjg/t:p2+sW/ZTujt9zQUwb93uAbE

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks