General

  • Target

    wv.zip

  • Size

    8.1MB

  • Sample

    240722-f4s75s1cmm

  • MD5

    74f1a556858306f10facdd13afef3876

  • SHA1

    2785e176a4fb8360ed0708205104a77d48e385a2

  • SHA256

    c7a74e51044e62ab518f212afb21d7fbe6ad6cc428868ebb8729e754bd8b0b10

  • SHA512

    1af1c05ba7e5043928c7d4b14db051dc07445e7ed950bc4f9a751cefc9b44f729f0a91690695d7f4863dcb96ba8877ff6c4735761c1b518c03bf3280e380f6d7

  • SSDEEP

    196608:YxDW3hc30N6CimAPcLvKX9WMpacf1drt1VEy:mD0cc6CLOcLyX9WTSl9Ey

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

C9IM3x5CL1ZIpfuG

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    ReAgentC.exe

  • pastebin_url

    https://pastebin.com/raw/UWpQULMP

  • telegram

    https://api.telegram.org/bot7420124943:AAF1r0gN9LdH2HJhpp3RjQMBU2cphBasfrs

aes.plain

Targets

    • Target

      Wave/CefSharp.Core.Runtime.dll

    • Size

      1.3MB

    • MD5

      09cba584aa0aae9fc600745567393ef6

    • SHA1

      bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279

    • SHA256

      0babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5

    • SHA512

      5f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1

    • SSDEEP

      24576:5Ac2t6Twn/0ke6ruDPMY0BQJzTzAC991g44ekgpqc4CQKZi5P9xh0gsWLgiHesms:q6TmQJrXg44ekgpqc4CQKZi5P9xh0gsI

    Score
    1/10
    • Target

      Wave/WaveWindows-nc.exe

    • Size

      5.5MB

    • MD5

      e9c64620dc920a64a2448e78de1cff90

    • SHA1

      08e62b663da83d2fe304bba18381e87192313201

    • SHA256

      26838283be0848527497674165c96a7683ccdbac999d8a226d9878a3ca7717a5

    • SHA512

      83ef90821b8da79218c20c0ab287c1155f6d9fe36bee0419187ef215c73a66c33502966cfef4c17ac89502777518f1d00357387716ef914b0c82b0615ea12fc3

    • SSDEEP

      49152:N3hTD+mOHaN2e1AUgbOtf7s51lL7Grsm4IPMWnjy5EAP+VZ1LojCWvzThoCW0vai:RJj2etsR7Ggm2Ey1yJvUyb

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      Wave/bin/lz4.dll

    • Size

      117KB

    • MD5

      f7e2f224f8dbe22012c7ff20590b8770

    • SHA1

      99775e038e306a2b5f73f6e7d8d42a5799ace824

    • SHA256

      c62f829bc0f820bca6bf14b380b285a169cd1395df864bbec692f8ca31bc4e70

    • SHA512

      96d2938cd77b48e4efdc7212a92327ac5ce43ad757fcff88eb5cbd3eb2fac1bbcaa2e119881f3cb902c634db8ef16e69146ebfe972ab0ecb2cf3b769e0818f89

    • SSDEEP

      1536:FVP0R6tS1m4baJ1ocCcl+DBZD5C3gTg60bEior69ggjpA38Ajcqv:Fxy9bs1oTfBZDugTgpbEXh0A38AYk

    Score
    1/10
    • Target

      Wave/bin/wolfssl.dll

    • Size

      1.2MB

    • MD5

      a396ee8375252d04da31676fe1b3ff75

    • SHA1

      57aee1e5b69a85d0e0b7d5a103ddb683f0204cce

    • SHA256

      7dc3aeda7518abb376a6932583669e7e1595a656edeae65af1397807322e8a25

    • SHA512

      ff755bed789869a8cc2adc05b7a3b234ef93997b1774cc719d506ce4dd03fcd0ed6d320a13d815e27a21ebdf99f3308ea47a8de6b9a25ca4eaa8fb4045fbb0db

    • SSDEEP

      24576:yoCqsxtqSepCBr5fFrHodqht+tmiw9P9TsdJRV5Wodh8NHmoz:3CzASep0r5fFrHoUht+tU9TsrRV5WodE

    Score
    1/10
    • Target

      Wave/bin/xxhash.dll

    • Size

      45KB

    • MD5

      161bd3d60228dd16c54a927250af3e49

    • SHA1

      463243c3cc2e0bca16f3ced2c3b70c13a0e97fa6

    • SHA256

      ecb5aa2bf0ff355a7b36bb3a991264655e13e0f2c9e88b9dfa39d7fe4c5142a7

    • SHA512

      3716ce34c1e9931007f374685a6588bc355e942872e7a42eaa4c5be9a0fdc93f081a1dc5c3d8fec4a4563dbd556f4d046f7bf3d50840c02d8aa822eaca7a577b

    • SSDEEP

      768:I9otvM7DZ1LMDJdj+LVvgFlJus4zBOQdlyR0/A:I9UEDLMDJxKM0scUS

    Score
    1/10
    • Target

      Wave/bin/zlib1.dll

    • Size

      87KB

    • MD5

      f6fc96cfccdd9958a157546faa4c13a9

    • SHA1

      ae8e4171a0583a761ae4428e5757daeedaf2a157

    • SHA256

      231e29c228652e9d6504e608a1cc53311e762cd4c78deb7c9ef11bc27f13d3da

    • SHA512

      fb983083b5c620616d2547a7903f8ebfd2ad52ed9bdde8264b6e555fb47644c488779d3ade52f5e601dbc31e67f40ea973f41f45af242790dc5d8a91c163c8dc

    • SSDEEP

      1536:Q7wjHHWwn1rhEzjEp70E2thqlz4bqIOcIOZFkGnd02H:QcjH2w1EjEpIq6b4SZFfndjH

    Score
    1/10
    • Target

      Wave/bin/zstd.dll

    • Size

      634KB

    • MD5

      59c9f23830bfb7b4fdc81bbd1e719810

    • SHA1

      e58049c836931a22768ce2e4502b3a856e2ecd18

    • SHA256

      9c37186c40d01e0ed9a42846c66aba449be5fe6c2da18ef6794422b5fa2ff8eb

    • SHA512

      b52f1d0e764159453ddebd70665c3a43c61e963651cf671db8994c74f2dd35dcfc79b2c4d19c5e8d6c8564c824285426c1ec651b02f1956d331447e9405212ff

    • SSDEEP

      12288:iilkxK/S1adDEh1qMkUFZe8/pJcOAAqy:iilkb1adDEh1qMkYZe8/pJxAAZ

    Score
    1/10
    • Target

      Wave/d3dcompiler_47.dll

    • Size

      3.9MB

    • MD5

      3b4647bcb9feb591c2c05d1a606ed988

    • SHA1

      b42c59f96fb069fd49009dfd94550a7764e6c97c

    • SHA256

      35773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7

    • SHA512

      00cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50

    • SSDEEP

      49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks