General

  • Target

    MOT-DE-PASSE.js

  • Size

    24KB

  • Sample

    240920-zpq9saxfpl

  • MD5

    3568415c8644c0e6a231927bb26c3307

  • SHA1

    3cdece2baabd90c46b4b10d8fc14dfbbc7352651

  • SHA256

    914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622

  • SHA512

    465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe

  • SSDEEP

    768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    developerpro21578Jp@@

Extracted

Family

xworm

Version

5.0

C2

moneyluckwork.ddns.net:7000

moneyluck.duckdns.org:7000

Mutex

gGehVFEiZl8AfiDz

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887

Targets

    • Target

      MOT-DE-PASSE.js

    • Size

      24KB

    • MD5

      3568415c8644c0e6a231927bb26c3307

    • SHA1

      3cdece2baabd90c46b4b10d8fc14dfbbc7352651

    • SHA256

      914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622

    • SHA512

      465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe

    • SSDEEP

      768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ

    • Detect Xworm Payload

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks