General

  • Target

    tmp.bin

  • Size

    1.8MB

  • Sample

    240705-h64g1axbkd

  • MD5

    2b0e421675cce29669ceadff2ca758af

  • SHA1

    545fa8e208d8adc14e2d4ea669cb6d809c0152aa

  • SHA256

    5e5b928e89a0aabc7226211093683fea9e573ed82fd0286eacfdf3953c9062e8

  • SHA512

    6568e40acd7464282903d297c4a7c64398e00fc1e4d787f6e993fa6de7aa6c78308e7698517a98b2b144ee719e943002f56ffb0299e2ef8633350f03251904dd

  • SSDEEP

    6144:mx1iwfMPTymGeIHp58TY4adHganYLP3GAr0fSTSZlzOtvw9rI6HDCFixI+JAn3wk:w1Xd6T6qWArcSGZlgvw9rImCF+I93wk

Malware Config

Extracted

Family

xworm

Version

5.0

C2

185.29.11.111:7000

Mutex

B3bYPcOfuxE4gqjQ

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      tmp.bin

    • Size

      1.8MB

    • MD5

      2b0e421675cce29669ceadff2ca758af

    • SHA1

      545fa8e208d8adc14e2d4ea669cb6d809c0152aa

    • SHA256

      5e5b928e89a0aabc7226211093683fea9e573ed82fd0286eacfdf3953c9062e8

    • SHA512

      6568e40acd7464282903d297c4a7c64398e00fc1e4d787f6e993fa6de7aa6c78308e7698517a98b2b144ee719e943002f56ffb0299e2ef8633350f03251904dd

    • SSDEEP

      6144:mx1iwfMPTymGeIHp58TY4adHganYLP3GAr0fSTSZlzOtvw9rI6HDCFixI+JAn3wk:w1Xd6T6qWArcSGZlgvw9rImCF+I93wk

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks