General

  • Target

    SexyBoy.bat

  • Size

    454B

  • Sample

    240526-xf436sga7y

  • MD5

    3d258a032b33d7f0e9c77be2db34372f

  • SHA1

    5530871c1fc729da367eb1c862ac73e093267e5d

  • SHA256

    9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c

  • SHA512

    18758cf96aa96a864125905d2de869f63a0d723b8ea39e651cc846b7b599c62f0b16b0341b707d127a5314d505e3f26ed2a0cea4231d8743c3055c2528687f41

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/Proxyonly/wewewewe/raw/main/Security.exe

Extracted

Family

xworm

Version

3.1

C2

paris-disciplinary.gl.at.ply.gg:63286

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      SexyBoy.bat

    • Size

      454B

    • MD5

      3d258a032b33d7f0e9c77be2db34372f

    • SHA1

      5530871c1fc729da367eb1c862ac73e093267e5d

    • SHA256

      9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c

    • SHA512

      18758cf96aa96a864125905d2de869f63a0d723b8ea39e651cc846b7b599c62f0b16b0341b707d127a5314d505e3f26ed2a0cea4231d8743c3055c2528687f41

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks