General
-
Target
file01.js
-
Size
7KB
-
Sample
240930-k9rzgssakd
-
MD5
8fbf57ab035ec7063b9522e5f30a75f7
-
SHA1
cd761463221ba82f46b2b28fe56a0e74588c64b9
-
SHA256
ff84d777db298c70e206a94f1a4a1a5d5536d8cd42eedbd50ffde364daa368a6
-
SHA512
6fb68c7241c130973c1332a2f1c23c76cdb4640d76e270e1a0538a83001fe7d2aa4397ccb34def80ce88a5050f36d7bbaad7700fd9efa666c26bb0e6c4bc71d6
-
SSDEEP
96:lUu0CRu5u37arzWruLprCRuzrN+uQ6rgxX4murNdgCRufZQL76mXHNuipdWwp5i6:lUycqnDtjfQxaWpK+l
Malware Config
Extracted
xworm
5.0
as525795.duckdns.org:6980
194.37.97.150:6980
wtYmVE2WY2XGhWlO
-
install_file
adobe.exe
Targets
-
-
Target
file01.js
-
Size
7KB
-
MD5
8fbf57ab035ec7063b9522e5f30a75f7
-
SHA1
cd761463221ba82f46b2b28fe56a0e74588c64b9
-
SHA256
ff84d777db298c70e206a94f1a4a1a5d5536d8cd42eedbd50ffde364daa368a6
-
SHA512
6fb68c7241c130973c1332a2f1c23c76cdb4640d76e270e1a0538a83001fe7d2aa4397ccb34def80ce88a5050f36d7bbaad7700fd9efa666c26bb0e6c4bc71d6
-
SSDEEP
96:lUu0CRu5u37arzWruLprCRuzrN+uQ6rgxX4murNdgCRufZQL76mXHNuipdWwp5i6:lUycqnDtjfQxaWpK+l
Score10/10-
Detect Xworm Payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1