Overview

overview

10

Static

static

3

XWorm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm.exe

  • Size

    13.5MB

  • Sample

    240821-ctrpsavhrg

  • MD5

    1e7daac9ab67c09a7ca1ebceae3326b2

  • SHA1

    7312fc660bf03b863de0d4346e3ef462724626e6

  • SHA256

    5bfca9c997f452d4f001abcdfdd1115aa0ef97d5ba2cc48b4523f6fb87a0ba7a

  • SHA512

    5dd037b2f5e0e71c1190c3d300f257ae3fb5f2f9eac142d03e702058f960c9017f1511767a38403f00aae8ee73d6d5ac91095e8389e6fbc254ea2dbf82d7be90

  • SSDEEP

    196608:KOI24UT0mBlShweFDkiVl9qDgC4lukrWuPqllxlshCsWHmn:KOI2pi7dkiVqUJ5rWdtlsMsWHmn

Score
10/10
stormkittyxwormcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

las-protected.gl.at.ply.gg:59571

Mutex

57uEOC4VgAs3IeCB

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Uni.exe

aes.plain

Targets

    • Target

      XWorm.exe

    • Size

      13.5MB

    • MD5

      1e7daac9ab67c09a7ca1ebceae3326b2

    • SHA1

      7312fc660bf03b863de0d4346e3ef462724626e6

    • SHA256

      5bfca9c997f452d4f001abcdfdd1115aa0ef97d5ba2cc48b4523f6fb87a0ba7a

    • SHA512

      5dd037b2f5e0e71c1190c3d300f257ae3fb5f2f9eac142d03e702058f960c9017f1511767a38403f00aae8ee73d6d5ac91095e8389e6fbc254ea2dbf82d7be90

    • SSDEEP

      196608:KOI24UT0mBlShweFDkiVl9qDgC4lukrWuPqllxlshCsWHmn:KOI2pi7dkiVqUJ5rWdtlsMsWHmn

    Score
    10/10
    stormkittyxwormcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojan

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks