Overview

overview

10

Static

static

10

Xworm-V5.6...ox.dll

windows7-x64

1

Xworm-V5.6...ox.dll

windows10-2004-x64

1

Xworm-V5.6/Fixer.bat

windows7-x64

1

Xworm-V5.6/Fixer.bat

windows10-2004-x64

1

Xworm-V5.6...re.dll

windows7-x64

1

Xworm-V5.6...re.dll

windows10-2004-x64

1

Xworm-V5.6...ms.dll

windows7-x64

1

Xworm-V5.6...ms.dll

windows10-2004-x64

1

Xworm-V5.6...I2.dll

windows7-x64

1

Xworm-V5.6...I2.dll

windows10-2004-x64

1

Xworm-V5.6...or.dll

windows7-x64

1

Xworm-V5.6...or.dll

windows10-2004-x64

1

Xworm-V5.6....6.exe

windows7-x64

10

Xworm-V5.6....6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Xworm-V5.6.rar

  • Size

    124.3MB

  • Sample

    240721-r8zfhatfjb

  • MD5

    e9f730d0562d286333d66e2557adbfcb

  • SHA1

    9abe1fa95363231139beaa58b29a54b80a4465a2

  • SHA256

    685b97041f1aa3e082b9816c798c7b9adeceb630ca63634035cf4fc4cbcc4cab

  • SHA512

    ac9bdd9ac60dae37e088cda6d26c8b5a1688c8efa4b3869858c5d8b422a83a8ef3bdd95a41ac3ad593739105e5a12fffcd38d3ac57833fa7515c62c003e54491

  • SSDEEP

    3145728:lqbnXls0EBbp/OifpPo+Pu3qqEBdTZNSpWuR6VR/BU+/1NEZju:o71s0iZ1oqtBdmWlBB/1NE8

Score
10/10
agentteslastormkittyumbralxwormexecutionkeyloggerpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1258826865888460840/AXNa-UDvvfmqdXbJtKI0nZsn0JGhgOBB1NuYxdFsJJVOw3zMA2BHwMqXF6N6AKQECFC6

Extracted

Family

xworm

C2

127.0.0.1:43101

Attributes
  • Install_directory

    %Public%

  • install_file

    BSOD.exe

Targets

    • Target

      Xworm-V5.6/FastColoredTextBox.dll

    • Size

      333KB

    • MD5

      b746707265772b362c0ba18d8d630061

    • SHA1

      4b185e5f68c00bef441adb737d0955646d4e569a

    • SHA256

      3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519

    • SHA512

      fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8

    • SSDEEP

      6144:4FErOIif3RzSHh+20lXs1TzCeBcQeDbNlz7:eEeR52bmeh0n

    Score
    1/10
    behavioral1behavioral2

    • Target

      Xworm-V5.6/Fixer.bat

    • Size

      122B

    • MD5

      2dabc46ce85aaff29f22cd74ec074f86

    • SHA1

      208ae3e48d67b94cc8be7bbfd9341d373fa8a730

    • SHA256

      a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

    • SHA512

      6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

    Score
    1/10
    behavioral3behavioral4

    • Target

      Xworm-V5.6/GMap.NET.Core.dll

    • Size

      2.9MB

    • MD5

      819352ea9e832d24fc4cebb2757a462b

    • SHA1

      aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

    • SHA256

      58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

    • SHA512

      6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

    • SSDEEP

      49152:ot12Gb/hz7ZsK9qY5uyUW57VC4IB1+fXhQ1hyCzMw/22fSg7gjxhUE/nbTC0xemh:oLbteKb57W1+PhQ1HM1gmJ/SZmh

    Score
    1/10
    behavioral5behavioral6

    • Target

      Xworm-V5.6/GMap.NET.WindowsForms.dll

    • Size

      147KB

    • MD5

      32a8742009ffdfd68b46fe8fd4794386

    • SHA1

      de18190d77ae094b03d357abfa4a465058cd54e3

    • SHA256

      741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

    • SHA512

      22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

    • SSDEEP

      3072:k1GmgYqIY/0YSDBRGlDUqL63budipxj64m8HWYh3vHbFwMhLJSb+:lIO6rGloqL63qW62lJ

    Score
    1/10
    behavioral7behavioral8

    • Target

      Xworm-V5.6/Guna.UI2.dll

    • Size

      1.9MB

    • MD5

      bcc0fe2b28edd2da651388f84599059b

    • SHA1

      44d7756708aafa08730ca9dbdc01091790940a4f

    • SHA256

      c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

    • SHA512

      3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

    • SSDEEP

      24576:FIVZLRYIVQd9INo3FDbWX7SsOobBTEAjg+m+ZFNwaxwGoHQ/jzK+:+oWodbi9XFEAjg+m+ZFKaxw

    Score
    1/10
    behavioral10behavioral9

    • Target

      Xworm-V5.6/IconExtractor.dll

    • Size

      10KB

    • MD5

      640d8ffa779c6dd5252a262e440c66c0

    • SHA1

      3252d8a70a18d5d4e0cc84791d587dd12a394c2a

    • SHA256

      440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2

    • SHA512

      e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32

    • SSDEEP

      192:7f77J4cGYyfQknxLvIgyLY5xJeU5pPpZlEAs:HS2yINgyLYLJR5wl

    Score
    1/10
    behavioral11behavioral12

    • Target

      Xworm-V5.6/Xworm 5.6.exe

    • Size

      31.5MB

    • MD5

      034f44acd00471fc4a78f212c40c0fe0

    • SHA1

      a59dfec703be202f3981a2de64f7674baf030648

    • SHA256

      f4b8369ca881ac2fc254a79bc8b42dbed81019ac2a518b40eb2b6cd8e22cf30f

    • SHA512

      37d6ffb0c6a2de1261f269e61bfc0905d4f49c68a34535d70b677dd660d6845e82eae5bed167e52c52f5c9b04e4d281b9693cb8b62c7311d2ac1cfddb00c81be

    • SSDEEP

      393216:vuyIhhkRka4i8EkZQVBl86ODlHTE9Nj+CEDJKRW3I1KpnP2elMOdN6:2yshkqNhQVj86OpgeCEDJKRWPpB4

    Score
    10/10
    agentteslaumbralxwormexecutionkeyloggerpersistencepyinstallerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect Umbral payload

    • Detect Xworm Payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks