General

  • Target

    SolaraBETA3.zip

  • Size

    55.4MB

  • Sample

    240522-vhbtashg57

  • MD5

    3ef86eb8224edf981f24a2f429de888a

  • SHA1

    fe0199be4fe0f3702459c30535492bdbfed2440a

  • SHA256

    4e45f4d9791dfc23b25eabe6cc0c2e6d5590af67df744ce7f5dde4dc6581006c

  • SHA512

    b82cf9ae2cb5ba4d0084a2c6305cda99a4828ffb29e1f861f32316d355717f9d497bc370f30d9c8cc23158e8918163aaf434eabecc40838cc8f0377b73bbfc1f

  • SSDEEP

    786432:OxSM6Glea1yFeyRRCH3XQLtKGnHfj8UEfP2rdVsiUHetSK+0EA6hnZZcr47Aeo5Z:OxxZRyAQRQwQH9fP2YiU+tvqZZcxe/qB

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/cXrVe9uw

  • telegram

    https://api.telegram.org/bot6979293307:AAEOPp5yyNk59nmm3T6LeHhjYWWOLjWSYdU/sendMessage?chat_id=1370207735

Targets

    • Target

      SolaraBETA3.zip

    • Size

      55.4MB

    • MD5

      3ef86eb8224edf981f24a2f429de888a

    • SHA1

      fe0199be4fe0f3702459c30535492bdbfed2440a

    • SHA256

      4e45f4d9791dfc23b25eabe6cc0c2e6d5590af67df744ce7f5dde4dc6581006c

    • SHA512

      b82cf9ae2cb5ba4d0084a2c6305cda99a4828ffb29e1f861f32316d355717f9d497bc370f30d9c8cc23158e8918163aaf434eabecc40838cc8f0377b73bbfc1f

    • SSDEEP

      786432:OxSM6Glea1yFeyRRCH3XQLtKGnHfj8UEfP2rdVsiUHetSK+0EA6hnZZcr47Aeo5Z:OxxZRyAQRQwQH9fP2YiU+tvqZZcxe/qB

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks