Overview

overview

9

Static

static

3

XWorm V5.2.exe

windows7-x64

1

XWorm V5.2.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V5.2.exe

  • Size

    37.7MB

  • Sample

    240909-tawcaswfjp

  • MD5

    4d2fe88411ca382a705f7de70505f8ee

  • SHA1

    992be069e1123ea68a414ce462f2b7a0e5c39563

  • SHA256

    1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551

  • SHA512

    8df4399dc43b854fd72764b426146044799aaea80a07dbecf4d28941b957af1b480ade452fd020912c37b54280a057f02be19c10812f59ab3b8f2d45c0a82b43

  • SSDEEP

    786432:V3on1HvSzxAMNwFZArYsHPv697OZYV797:VYn1HvSpNwXmvYJX

Score
9/10
collectioncredential_accessdefense_evasiondiscoveryexecutionpersistencespywarestealer

Malware Config

Targets

    • Target

      XWorm V5.2.exe

    • Size

      37.7MB

    • MD5

      4d2fe88411ca382a705f7de70505f8ee

    • SHA1

      992be069e1123ea68a414ce462f2b7a0e5c39563

    • SHA256

      1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551

    • SHA512

      8df4399dc43b854fd72764b426146044799aaea80a07dbecf4d28941b957af1b480ade452fd020912c37b54280a057f02be19c10812f59ab3b8f2d45c0a82b43

    • SSDEEP

      786432:V3on1HvSzxAMNwFZArYsHPv697OZYV797:VYn1HvSpNwXmvYJX

    Score
    9/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionpersistencespywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Window

1
T1564.003

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks