General

  • Target

    X Image logger beta V5.3.exe

  • Size

    281KB

  • Sample

    240621-ll13xsydqq

  • MD5

    133f3a19d32261097e674ed1bee74cc6

  • SHA1

    55b0c7f4cce8cc5c8db8c7024f7a3327b5ec9635

  • SHA256

    ef978e1a28ed69260daa1abede6e2b7c2dc70757e16fd7c3a0d20b353ba5fd21

  • SHA512

    1e71991df542ccbc1998772544d100163cb4d989302e429a0c487ef811dafbfa4c6fff5ea842dc5df492f82862ba7c0a5eddca93d1a3aaf1e3fb424f1e7595e2

  • SSDEEP

    3072:Y++eov7Fz9fZzOjnoRahEe0SzSeXX+pow1X70+OFNXqF0RrssIHtGNXElGRP1L:Ylz9AHhWBTWrsHH8FElg1

Malware Config

Extracted

Family

xworm

Version

5.0

C2

gmt-tamil.gl.at.ply.gg:34742

Mutex

rP4MOeQc2jhpYogo

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      X Image logger beta V5.3.exe

    • Size

      281KB

    • MD5

      133f3a19d32261097e674ed1bee74cc6

    • SHA1

      55b0c7f4cce8cc5c8db8c7024f7a3327b5ec9635

    • SHA256

      ef978e1a28ed69260daa1abede6e2b7c2dc70757e16fd7c3a0d20b353ba5fd21

    • SHA512

      1e71991df542ccbc1998772544d100163cb4d989302e429a0c487ef811dafbfa4c6fff5ea842dc5df492f82862ba7c0a5eddca93d1a3aaf1e3fb424f1e7595e2

    • SSDEEP

      3072:Y++eov7Fz9fZzOjnoRahEe0SzSeXX+pow1X70+OFNXqF0RrssIHtGNXElGRP1L:Ylz9AHhWBTWrsHH8FElg1

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks