General

  • Target

    YoutuberSim.exe

  • Size

    41KB

  • Sample

    240503-w5zz3sda5t

  • MD5

    80c246b87898e0d5fe222de1e847649d

  • SHA1

    6e66e5c904bbb12da1ca0256665cb49c50585708

  • SHA256

    5c2fd2a77afa5180db4c4da112c59aea66122cda903bbeefc6757f54b6b5528b

  • SHA512

    d4b1c63f65bad9514b94bc4d3cc43ca49adc98a1b9dab40d10a0a158197ffa157aede9792c42c3375a7ad7ad97acc94d14f55658aa2a68ea46f3370ebf4e833b

  • SSDEEP

    768:AnYoD/rMRbLOAGIeA0ol5tdxTUbGsF5PG9WP0WOwhO35uO:aTIjGIxtlbwlFI9WP0WOwMoO

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

BnQoxDZzN0M2ZhyJ

Attributes
  • Install_directory

    %AppData%

  • install_file

    HumanFallFlat.exe

  • pastebin_url

    https://pastebin.com/raw/cLi4Nvx0

aes.plain

Targets

    • Target

      YoutuberSim.exe

    • Size

      41KB

    • MD5

      80c246b87898e0d5fe222de1e847649d

    • SHA1

      6e66e5c904bbb12da1ca0256665cb49c50585708

    • SHA256

      5c2fd2a77afa5180db4c4da112c59aea66122cda903bbeefc6757f54b6b5528b

    • SHA512

      d4b1c63f65bad9514b94bc4d3cc43ca49adc98a1b9dab40d10a0a158197ffa157aede9792c42c3375a7ad7ad97acc94d14f55658aa2a68ea46f3370ebf4e833b

    • SSDEEP

      768:AnYoD/rMRbLOAGIeA0ol5tdxTUbGsF5PG9WP0WOwhO35uO:aTIjGIxtlbwlFI9WP0WOwMoO

    • Detect Xworm Payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ModiLoader First Stage

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks