Resubmissions

04-09-2024 03:02

240904-djne2svhpa 10

04-09-2024 03:01

240904-djb21svhne 1

04-09-2024 01:09

240904-bhv3dstbjg 10

03-09-2024 23:53

240903-3xrgaszhqm 10

03-09-2024 23:29

240903-3gywfa1fna 10

03-09-2024 23:26

240903-3ev2rs1erg 10

General

  • Target

    XClient.bat

  • Size

    320KB

  • Sample

    240904-djne2svhpa

  • MD5

    e0d59aedb927f0aad0b47eab247e5fbc

  • SHA1

    8abe8db8e344729b0f78d83e540b17a31893ed92

  • SHA256

    ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

  • SHA512

    7459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97

  • SSDEEP

    6144:HQIYl64Q3Gx/E7X3YIzsUW4MN2nwaF0FbD/VdFzqEE/jeT3/:HQIh77X3t6+4VdFzoW/

Malware Config

Targets

    • Target

      XClient.bat

    • Size

      320KB

    • MD5

      e0d59aedb927f0aad0b47eab247e5fbc

    • SHA1

      8abe8db8e344729b0f78d83e540b17a31893ed92

    • SHA256

      ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c

    • SHA512

      7459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97

    • SSDEEP

      6144:HQIYl64Q3Gx/E7X3YIzsUW4MN2nwaF0FbD/VdFzqEE/jeT3/:HQIh77X3t6+4VdFzoW/

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks