General

  • Target

    Downloads.exe

  • Size

    411KB

  • Sample

    240620-ngbnksyeqq

  • MD5

    87ac4c646fd5b62dbabf59fb6ef34fd7

  • SHA1

    45832029b6cfa6c4020ee0e1f965bd5898d5f137

  • SHA256

    65b6f1f4ac0fbc8a7a113548630b284a731e0b219bee029745f2710b6e02c51c

  • SHA512

    b647910eaeaee60b8d2378986bf824dfddfd9b3a4e0f2a8a723406da1a6072bf9171ee12fd0178e027ddfdc4be8fbb4d74f9e94dd470d4342c6711dbe9ea02b7

  • SSDEEP

    12288:Kat0EAH49n8BLaWNO8DlIlaRJ3wWxJS7Xy4WtZ:Ft24saW02pbWO4g

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32901

engineering-thoroughly.gl.at.ply.gg:32901

Attributes
  • Install_directory

    %AppData%

  • install_file

    OxyInstaller.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1253302699978526772/b5mqXVOEs47XQy9dHee2Po12VotJwgdPtLauhKlKoyBH-xF42vUZ2Glc0N58n1pvAEdH

Targets

    • Target

      Downloads.exe

    • Size

      411KB

    • MD5

      87ac4c646fd5b62dbabf59fb6ef34fd7

    • SHA1

      45832029b6cfa6c4020ee0e1f965bd5898d5f137

    • SHA256

      65b6f1f4ac0fbc8a7a113548630b284a731e0b219bee029745f2710b6e02c51c

    • SHA512

      b647910eaeaee60b8d2378986bf824dfddfd9b3a4e0f2a8a723406da1a6072bf9171ee12fd0178e027ddfdc4be8fbb4d74f9e94dd470d4342c6711dbe9ea02b7

    • SSDEEP

      12288:Kat0EAH49n8BLaWNO8DlIlaRJ3wWxJS7Xy4WtZ:Ft24saW02pbWO4g

    • 44Caliber

      An open source infostealer written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks