General

  • Target

    Valid.exe

  • Size

    47.1MB

  • Sample

    241005-hfpwxs1cpj

  • MD5

    f3b6c826b524f0633407f83a08c1fc0e

  • SHA1

    b1abbbeaed66803bd7cc0ae1aa39df873e3a012c

  • SHA256

    a468ef9f97228836ec9f93c605717b79c397bc72ce52dbdba76f5e81673df3a8

  • SHA512

    c955f76e9624edb514c52dfc1ab51ae1bc2c93054e7af207a04b3a913bae77f5f02cbbf0ab38336070bdadff4a9ea89b0e2a0a713062897727cee38e0fa80f8f

  • SSDEEP

    786432:SSaxOSmEucd8/6KHAMFhZ/OHpolhqbHJX/8gLq23/Wqpl3AnPTKIIEOw4cZACg4:S4SmEuccFNvVQ08bxHLq4esmZIEbR

Malware Config

Extracted

Family

xworm

C2

23.ip.gl.ply.gg:7036

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Targets

    • Target

      Valid.exe

    • Size

      47.1MB

    • MD5

      f3b6c826b524f0633407f83a08c1fc0e

    • SHA1

      b1abbbeaed66803bd7cc0ae1aa39df873e3a012c

    • SHA256

      a468ef9f97228836ec9f93c605717b79c397bc72ce52dbdba76f5e81673df3a8

    • SHA512

      c955f76e9624edb514c52dfc1ab51ae1bc2c93054e7af207a04b3a913bae77f5f02cbbf0ab38336070bdadff4a9ea89b0e2a0a713062897727cee38e0fa80f8f

    • SSDEEP

      786432:SSaxOSmEucd8/6KHAMFhZ/OHpolhqbHJX/8gLq23/Wqpl3AnPTKIIEOw4cZACg4:S4SmEuccFNvVQ08bxHLq4esmZIEbR

    • Detect Umbral payload

    • Detect Xworm Payload

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks