General
-
Target
ey341.exe
-
Size
64KB
-
Sample
240708-ca533axaml
-
MD5
a43a55c5578f61d05ce146ead83e745a
-
SHA1
83093f791120d3e74b0d0847aebc52d3c9f04078
-
SHA256
de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
-
SHA512
a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
SSDEEP
1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Extracted
gurcu
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Targets
-
-
Target
ey341.exe
-
Size
64KB
-
MD5
a43a55c5578f61d05ce146ead83e745a
-
SHA1
83093f791120d3e74b0d0847aebc52d3c9f04078
-
SHA256
de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
-
SHA512
a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
SSDEEP
1536:BmxzG1o8ep4jtWQ/GZg8S7gbgUBGK7/J6DOSsvk:Bmx61oFp4jtWQuuLgbgUgK7AOSss
Score10/10-
Detect Xworm Payload
-
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
-
Modifies WinLogon for persistence
-
UAC bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1