General
-
Target
cc.js
-
Size
1.6MB
-
Sample
241001-gcs9hatbkm
-
MD5
c63888086e1646654a1e162fde69c0ff
-
SHA1
8580dafbffe4d9b0d7e122127a455682ad2bd30e
-
SHA256
262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7
-
SHA512
df2212775d03605673e6420ef74ec6c99fcdbf7e1dde3287c97c634553f66fd084e0f38549134ec9e0fb8cef4033be92013a430aa7955f0c691f7edff02fcb66
-
SSDEEP
1536:Cz87aBaU8MENpImB8g0fCSjkXCR6cidzXXeF/LeKCO+RiboFN+LQ81fIgOz2ABPA:s87awfM2B85CSQSsXZXSeKGo7BvOiGI
Malware Config
Extracted
xworm
5.0
as525795.duckdns.org:6980
194.37.97.150:6980
wtYmVE2WY2XGhWlO
-
install_file
adobe.exe
Targets
-
-
Target
cc.js
-
Size
1.6MB
-
MD5
c63888086e1646654a1e162fde69c0ff
-
SHA1
8580dafbffe4d9b0d7e122127a455682ad2bd30e
-
SHA256
262fb2e45f9b66956236f89f4cbeac22ee3d011832263a28ed7f632a22ae87d7
-
SHA512
df2212775d03605673e6420ef74ec6c99fcdbf7e1dde3287c97c634553f66fd084e0f38549134ec9e0fb8cef4033be92013a430aa7955f0c691f7edff02fcb66
-
SSDEEP
1536:Cz87aBaU8MENpImB8g0fCSjkXCR6cidzXXeF/LeKCO+RiboFN+LQ81fIgOz2ABPA:s87awfM2B85CSQSsXZXSeKGo7BvOiGI
Score10/10-
Detect Xworm Payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1