General

  • Target

    penos.zip

  • Size

    82.3MB

  • Sample

    240527-ncjhmaad76

  • MD5

    7bfab1f4c9a40cf240fae1b31bef8a08

  • SHA1

    9aa74dc1c17c3e89e118e9098a55e5e5d9b394bd

  • SHA256

    da87a51e5599493f619348e983e447e3c3ffdb59acebd8b69119a4f272daa85c

  • SHA512

    bdc529b61383150320c423bdb5bf55afbaf8697f0dea6be4f29ee67333000026ed5f218bf91b6cccb60b210c516c2f4845786357a1cfef888bd0b5af2ef06c1c

  • SSDEEP

    1572864:mAjAq4HBwDHup/Eys11xDzNBwYw76w6b536dHwipDxU95aZ8YCztZXcfzr+MA:/0iStsHxDzXwYwsQdQQDxU95aaLBMA

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

lute4ql2kQEsQ5jF

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Steam.exe

  • pastebin_url

    https://pastebin.com/raw/L03qgun0

  • telegram

    https://api.telegram.org/bot6993229957:AAHEakdfReLdmvZfu_SKkbkjQu_FQo8OuNM/sendMessage?chat_id=6997816064

aes.plain

Targets

    • Target

      penos.zip

    • Size

      82.3MB

    • MD5

      7bfab1f4c9a40cf240fae1b31bef8a08

    • SHA1

      9aa74dc1c17c3e89e118e9098a55e5e5d9b394bd

    • SHA256

      da87a51e5599493f619348e983e447e3c3ffdb59acebd8b69119a4f272daa85c

    • SHA512

      bdc529b61383150320c423bdb5bf55afbaf8697f0dea6be4f29ee67333000026ed5f218bf91b6cccb60b210c516c2f4845786357a1cfef888bd0b5af2ef06c1c

    • SSDEEP

      1572864:mAjAq4HBwDHup/Eys11xDzNBwYw76w6b536dHwipDxU95aZ8YCztZXcfzr+MA:/0iStsHxDzXwYwsQdQQDxU95aaLBMA

    Score
    1/10
    • Target

      FizzyLoader/.FizzyLoader..exe

    • Size

      296KB

    • MD5

      0b65f0386ba941b6b611c06e5fc13bc9

    • SHA1

      2b14f00ea554baa5f77c764078bd3f6e5f196178

    • SHA256

      b240d620b5fcd62182a16433c4990014d0a67e3a096838c0e6b2d849140b3199

    • SHA512

      211e93004a447bde01f0f8d9426c05026b6acb2ced055166a2e2a551d93d62d8a96173efdb99617bb200234d00d76207a5321f5b442fb087aa75097b1801fd1c

    • SSDEEP

      6144:PhLY3fHcPBkpHPR8WIS9XgorLS6PaOKI0qc8cDbcVdH:6I6pvBqEeqc7sH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks