General

  • Target

    X Image logger beta V5.2.exe

  • Size

    596KB

  • Sample

    240621-lp4m8ayerl

  • MD5

    915c3cf41a3c84fffb96bd4eeab4e5dd

  • SHA1

    ba49c1e9b2f62a83a86473a0d98ee5201b7dcf58

  • SHA256

    5efe623eb5e9326ae70270135f6dcf2e3b48a62daef1f1685e3f1f0445db5de4

  • SHA512

    3a1826663c24c3ad13c98ce5a7cf1da1e59352a16a770cae5f5c744cbd096a7f7a68c31920f04ef6c82cf9348de3df889fdbd35b6dfe9027f7b94220e8e6d43d

  • SSDEEP

    12288:kBdlwHRn+WlYV+6R2aon8+lgbvXBgd8y5:kBkVdlYAKm88gbvxgdV5

Malware Config

Extracted

Family

xworm

Version

5.0

C2

modern-educators.gl.at.ply.gg:23695

Mutex

pObUje2ZDYSy43QF

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      X Image logger beta V5.2.exe

    • Size

      596KB

    • MD5

      915c3cf41a3c84fffb96bd4eeab4e5dd

    • SHA1

      ba49c1e9b2f62a83a86473a0d98ee5201b7dcf58

    • SHA256

      5efe623eb5e9326ae70270135f6dcf2e3b48a62daef1f1685e3f1f0445db5de4

    • SHA512

      3a1826663c24c3ad13c98ce5a7cf1da1e59352a16a770cae5f5c744cbd096a7f7a68c31920f04ef6c82cf9348de3df889fdbd35b6dfe9027f7b94220e8e6d43d

    • SSDEEP

      12288:kBdlwHRn+WlYV+6R2aon8+lgbvXBgd8y5:kBkVdlYAKm88gbvxgdV5

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks