General

  • Target

    A Л‮gpj.exe

  • Size

    685KB

  • Sample

    240717-q2mbxstbmr

  • MD5

    c7c5e457968b1ee3bd9b78de3fb1a85b

  • SHA1

    577da3fbd37a5d62ba0c0140a11a37d7862a2809

  • SHA256

    42401e825ec7e5a59c7a9130eba566504aa40bffcbc5df263b8edf00625dc6c1

  • SHA512

    620f9a1ba9a132595d172eadd863533e14ac48811ebecfdf653a2dd06b455a2fa5fa9fe24d3cfa13e8c6f1090eb2430147a5fe54d35b3d3e64d084bd4976c26e

  • SSDEEP

    12288:jyveQB/fTHIGaPkKEYzURNAwbAg8HPsR5c8MAg4emyWqVwhAOJ/JTkG:juDXTIGaPhEYzUzA0qpVROJtkG

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:14365

21.ip.gl.ply.gg:14365

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Targets

    • Target

      A Л‮gpj.exe

    • Size

      685KB

    • MD5

      c7c5e457968b1ee3bd9b78de3fb1a85b

    • SHA1

      577da3fbd37a5d62ba0c0140a11a37d7862a2809

    • SHA256

      42401e825ec7e5a59c7a9130eba566504aa40bffcbc5df263b8edf00625dc6c1

    • SHA512

      620f9a1ba9a132595d172eadd863533e14ac48811ebecfdf653a2dd06b455a2fa5fa9fe24d3cfa13e8c6f1090eb2430147a5fe54d35b3d3e64d084bd4976c26e

    • SSDEEP

      12288:jyveQB/fTHIGaPkKEYzURNAwbAg8HPsR5c8MAg4emyWqVwhAOJ/JTkG:juDXTIGaPhEYzUzA0qpVROJtkG

    • Detect Neshta payload

    • Detect Xworm Payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks