General

  • Target

    SantosExecutorInstaller.exe

  • Size

    136KB

  • Sample

    240508-r6w8cshg2x

  • MD5

    2c2c3af94bc32c880278a8d8c4fa831c

  • SHA1

    1ee1f7b2e91f66c8b79d6bb97924484580a9276d

  • SHA256

    2ab6390fcc902b46d3df5107416223da2d1c275d80aab0b7b7d6c0ee8c219644

  • SHA512

    7a774318d756e673ce761c480530e70f7dfa84ce7aaed162f577f19a4afa237695d9de1e1646019106ef52e8315025ec8ca9e0acd6aba13dd74773c7e9ea0efd

  • SSDEEP

    3072:yOT7HFq9tiUOjoBz65/M6If+3Js+3JFkKeTnE:zRq9LxBt25

Malware Config

Extracted

Family

xworm

Version

5.0

C2

introduction-specifications.gl.at.ply.gg:47117

Mutex

OJaM16tyEwtJe5lG

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7098399942:AAGbBTQcHRRS0fdzPhkmgHxFxRybEnM_OnM

aes.plain

Targets

    • Target

      SantosExecutorInstaller.exe

    • Size

      136KB

    • MD5

      2c2c3af94bc32c880278a8d8c4fa831c

    • SHA1

      1ee1f7b2e91f66c8b79d6bb97924484580a9276d

    • SHA256

      2ab6390fcc902b46d3df5107416223da2d1c275d80aab0b7b7d6c0ee8c219644

    • SHA512

      7a774318d756e673ce761c480530e70f7dfa84ce7aaed162f577f19a4afa237695d9de1e1646019106ef52e8315025ec8ca9e0acd6aba13dd74773c7e9ea0efd

    • SSDEEP

      3072:yOT7HFq9tiUOjoBz65/M6If+3Js+3JFkKeTnE:zRq9LxBt25

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks