General

  • Target

    15052024_1514_14052024_S949757965.zip

  • Size

    340KB

  • Sample

    240515-smqrxafb4w

  • MD5

    ecdbb7706a0796fe04f416c5ab13bee8

  • SHA1

    158623cb23b471aa52af4502c6670b13996884d6

  • SHA256

    9d28016366915abcb761788b5945736bc06d48a52d7f4199ebe3ad37fca7a5ca

  • SHA512

    232373ef24003ca31b60b299256b2643a5e64c9aa6d98ebe9049723834e169a7409394b5db3e4b89c9d674863d403cb879b3e02bbd50f68d8df4fbb119ac35bc

  • SSDEEP

    768:rFwV6iUxqGWjuGunAssIf9vzW8p1XObDltt3mcRkpAr/IAuWuqnqpxLvfe:rF95qGWjqASfN5p1ebDN2krAAu82zW

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xw9402may.duckdns.org:9402

xwormay9090.duckdns.org:9090

Mutex

5w6Cp63r66k4Jxsj

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Targets

    • Target

      S949757965.vbs

    • Size

      300.0MB

    • MD5

      7d69463758d7daa176c7f0c2d7464b79

    • SHA1

      529d7c798fa96e8c78aad637f772812a7d9f6e85

    • SHA256

      28ea2a2652f1b206fa2c11b1f264fc3f0fdf60f45f21d3ba3ff9d50b7e118275

    • SHA512

      e3cc81bdffe7245af8ef23b104c17259d05f08922cb1aa9b501e1da254451379bae244fef7e1e91f980c5552297f181fd03ddce76beb255df3f26172f3b4b6d4

    • SSDEEP

      1536:zJF8FNK7mlIDCH6kN5cUh3Ooo7AhS+cYFQL4VrTflEiTGn:zM4CICHzXF3Oo/hSCegrrHGn

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks