General

  • Target

    Built.exe

  • Size

    10.7MB

  • Sample

    240521-rdgbfage9w

  • MD5

    762348f1a6f0f39d9e461e5afd716581

  • SHA1

    682a770c2ec6085049a2cc2b6da689906f949581

  • SHA256

    5ee8240a671f3d87b1c4290dbd81350ae8a5809a801055a4eff2c9811ca9a0f9

  • SHA512

    8b0606eb5c737edbea22124d774b4612e6a214e10b7f630da955866f74fbc4df1aa52504ddb7e5086a7283d8090b37ef6ffac74315a9fccf535802424aa2e961

  • SSDEEP

    196608:Izhu+r7PnILLZWdoCOi8DwGcsAgeRtcGfcY3gtAr2e+SPz1:0r7M5li8k3meXcGfdWe+61

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:40656

147.185.221.16:40656

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    WinDefenderClient.exe

Targets

    • Target

      Built.exe

    • Size

      10.7MB

    • MD5

      762348f1a6f0f39d9e461e5afd716581

    • SHA1

      682a770c2ec6085049a2cc2b6da689906f949581

    • SHA256

      5ee8240a671f3d87b1c4290dbd81350ae8a5809a801055a4eff2c9811ca9a0f9

    • SHA512

      8b0606eb5c737edbea22124d774b4612e6a214e10b7f630da955866f74fbc4df1aa52504ddb7e5086a7283d8090b37ef6ffac74315a9fccf535802424aa2e961

    • SSDEEP

      196608:Izhu+r7PnILLZWdoCOi8DwGcsAgeRtcGfcY3gtAr2e+SPz1:0r7M5li8k3meXcGfdWe+61

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detect Xworm Payload

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks