General

  • Target

    2024-06-21_f8e0a95c7ce441f325d54697a1e2e8f6_hiddentear

  • Size

    186KB

  • Sample

    240621-rrsavsxdrr

  • MD5

    f8e0a95c7ce441f325d54697a1e2e8f6

  • SHA1

    d2cf7e73289db310b6c24399d5b2a79f1d38a579

  • SHA256

    3255a4375829fc6fcf9728f7ec7eba930908f846be9f8195ddfd5b991e5a7d6a

  • SHA512

    dc59550d46d7b6173b5c71f97c65f9226b2ba70e7094460d4d03c53dff7a91b3de4e15dbf52a4e13b08c61b9b38280876da49b5129b181e18fae45359600c5ad

  • SSDEEP

    3072:mjtYaj410NTbuGkBoyO3HM+lmsolAIrRuw+mqv9j1MWLQs:yas4iNbNkBp+lDAA

Malware Config

Extracted

Family

xworm

C2

1x.ddns.net:1406

157.254.164.12:1406

127.0.0.1:1406

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7270535319:AAG95IhiH2kzXMVOgKcNRqGl3LDv2EsEDWo

Targets

    • Target

      2024-06-21_f8e0a95c7ce441f325d54697a1e2e8f6_hiddentear

    • Size

      186KB

    • MD5

      f8e0a95c7ce441f325d54697a1e2e8f6

    • SHA1

      d2cf7e73289db310b6c24399d5b2a79f1d38a579

    • SHA256

      3255a4375829fc6fcf9728f7ec7eba930908f846be9f8195ddfd5b991e5a7d6a

    • SHA512

      dc59550d46d7b6173b5c71f97c65f9226b2ba70e7094460d4d03c53dff7a91b3de4e15dbf52a4e13b08c61b9b38280876da49b5129b181e18fae45359600c5ad

    • SSDEEP

      3072:mjtYaj410NTbuGkBoyO3HM+lmsolAIrRuw+mqv9j1MWLQs:yas4iNbNkBp+lDAA

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables using Telegram Chat Bot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks