General

  • Target

    RblxExecutor.exe

  • Size

    1.6MB

  • Sample

    240522-xbe89acd77

  • MD5

    3a235f7f491d95d4727320239c0b4cb7

  • SHA1

    b66d02b69f9d2cf011164406c6bc93a6728a65eb

  • SHA256

    e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a

  • SHA512

    fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b

  • SSDEEP

    24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy

Malware Config

Extracted

Family

xworm

C2

185.196.8.135:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      RblxExecutor.exe

    • Size

      1.6MB

    • MD5

      3a235f7f491d95d4727320239c0b4cb7

    • SHA1

      b66d02b69f9d2cf011164406c6bc93a6728a65eb

    • SHA256

      e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a

    • SHA512

      fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b

    • SSDEEP

      24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • XMRig Miner payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Looks for VMWare drivers on disk

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks