General

  • Target

    Stellar.exe

  • Size

    2.4MB

  • Sample

    240915-wsczsawckd

  • MD5

    d68dba883125d1a3408e13b84a3524e1

  • SHA1

    b613717517240829d8c28242a3b2ec7c6576b3f3

  • SHA256

    cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba

  • SHA512

    bad82130be599397e7a58a80d8301618fd35787c8d7bf5c1ae0d2cd00f92613265cabd9678c7dcd3e4fe8251a2636b14bdc7d0c0f29e383ae54b5dcf08b30de3

  • SSDEEP

    49152:vMkygnW2WnCzXzf7UPrn2Xb0ThRyUB1CP/yOuUaL4EgfGs3:t7nW2eCzjf7EnNvyCCZeLOG4

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/LsuynkUz

Targets

    • Target

      Stellar.exe

    • Size

      2.4MB

    • MD5

      d68dba883125d1a3408e13b84a3524e1

    • SHA1

      b613717517240829d8c28242a3b2ec7c6576b3f3

    • SHA256

      cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba

    • SHA512

      bad82130be599397e7a58a80d8301618fd35787c8d7bf5c1ae0d2cd00f92613265cabd9678c7dcd3e4fe8251a2636b14bdc7d0c0f29e383ae54b5dcf08b30de3

    • SSDEEP

      49152:vMkygnW2WnCzXzf7UPrn2Xb0ThRyUB1CP/yOuUaL4EgfGs3:t7nW2eCzjf7EnNvyCCZeLOG4

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • AgentTesla payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks