General

  • Target

    SilverBulletPro‌‌.exe

  • Size

    3.3MB

  • Sample

    240522-1kf4pahg71

  • MD5

    3a05915ef59826910a7935060c9cb8f2

  • SHA1

    b89b7bbf347b380d98c56d7261f3780dbdd94290

  • SHA256

    ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d

  • SHA512

    8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b

  • SSDEEP

    49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH

Malware Config

Extracted

Family

xworm

C2

dsasinject-58214.portmap.io:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Targets

    • Target

      SilverBulletPro‌‌.exe

    • Size

      3.3MB

    • MD5

      3a05915ef59826910a7935060c9cb8f2

    • SHA1

      b89b7bbf347b380d98c56d7261f3780dbdd94290

    • SHA256

      ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d

    • SHA512

      8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b

    • SSDEEP

      49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks