xenarmor | 314e1323c01aaa12887aff77d00e8663e35e84b50ce8fa0a64bf8d8a0810659c

General

Target

AndsheeR rat cracked.exe
Size

33KB
Sample

240831-3bhbha1fkd
MD5

6c40fb008136f3bd47a32deb3b2566c9
SHA1

735012c05b565cba6d5b96cbb736a520c92d525d
SHA256

314e1323c01aaa12887aff77d00e8663e35e84b50ce8fa0a64bf8d8a0810659c
SHA512

2f12b086c3e54432b9e5e6ef93f6c9df932eb94cbff259eb0cf6231059ce0e7e61189d1b0b074450a108c27cee27e30b1c7ef5f17d18c220baee2a5e0e6fc03e
SSDEEP

384:3l+PkjD9+E5MFs7iui8L7zzM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99Ikuia:V+CD93W03442JiB706VF49jTOjhpb9

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lefferek-42016.portmap.host:42016

Mutex

Gyt4FNiLFEYwx3rc

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  AndsheeR rat cracked.exe
- Size
  
  33KB
- MD5
  
  6c40fb008136f3bd47a32deb3b2566c9
- SHA1
  
  735012c05b565cba6d5b96cbb736a520c92d525d
- SHA256
  
  314e1323c01aaa12887aff77d00e8663e35e84b50ce8fa0a64bf8d8a0810659c
- SHA512
  
  2f12b086c3e54432b9e5e6ef93f6c9df932eb94cbff259eb0cf6231059ce0e7e61189d1b0b074450a108c27cee27e30b1c7ef5f17d18c220baee2a5e0e6fc03e
- SSDEEP
  
  384:3l+PkjD9+E5MFs7iui8L7zzM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99Ikuia:V+CD93W03442JiB706VF49jTOjhpb9
Score

10^/10

xenarmor xworm bootkit collection credential_access discovery password persistence privilege_escalation rat recovery spyware stealer trojan upx
- Detect Xworm Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses Microsoft Outlook accounts
  collection
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1