xenarmor | ce410544a8c50321cbb0fa4fa0f903ec927f4d6d173d09bc37aa54ad5c7ad49e

General

Target

lol.exe
Size

34KB
Sample

240927-xcfw6swgmh
MD5

4d42d6e6cd742d5ceb230cc03bd68ddb
SHA1

febe5e6fdb4cf23e32015bd8c51e6c8af9e95d05
SHA256

ce410544a8c50321cbb0fa4fa0f903ec927f4d6d173d09bc37aa54ad5c7ad49e
SHA512

f1bcd03c98ad29234cf0f1adb805083bd77e718b0eeb9f0806b9a4eb6265356e1ef3967b45f4f5b6e918a06db9a5d78a26724421dedb03e70201a7b261c7cc42
SSDEEP

384:tVxu9qBOae6oK/I7Z9plUzO7LMecZ9CZpbW3tXe3qXR8pkFXBLTIZwYGzcvw9IkF:rxuaUJRnpcZ96pbWx9FV9jhNOjhd/4H

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lefferek-42016.portmap.host:61672

budget-compiled.gl.at.ply.gg:61672

Mutex

ANnWPu8LZzU6MzOM

Attributes

Install_directory
%AppData%
install_file
DiscordClient.exe

aes.plain

Targets

- Target
  
  lol.exe
- Size
  
  34KB
- MD5
  
  4d42d6e6cd742d5ceb230cc03bd68ddb
- SHA1
  
  febe5e6fdb4cf23e32015bd8c51e6c8af9e95d05
- SHA256
  
  ce410544a8c50321cbb0fa4fa0f903ec927f4d6d173d09bc37aa54ad5c7ad49e
- SHA512
  
  f1bcd03c98ad29234cf0f1adb805083bd77e718b0eeb9f0806b9a4eb6265356e1ef3967b45f4f5b6e918a06db9a5d78a26724421dedb03e70201a7b261c7cc42
- SSDEEP
  
  384:tVxu9qBOae6oK/I7Z9plUzO7LMecZ9CZpbW3tXe3qXR8pkFXBLTIZwYGzcvw9IkF:rxuaUJRnpcZ96pbWx9FV9jhNOjhd/4H
Score

10^/10

xworm discovery rat trojan xenarmor collection evasion execution password ransomware recovery spyware stealer upx
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Detect Xworm Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Disables Task Manager via registry modification
  evasion
- Stops running service(s)
  evasion execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2