General

  • Target

    1[1].bat

  • Size

    158KB

  • Sample

    241015-3l4bqasglf

  • MD5

    fe40ee4255d4757724cfca0bc65c2384

  • SHA1

    d012699b807eb5b32909ffdc365897ecc2b46c15

  • SHA256

    2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc

  • SHA512

    b58e09d1052c5d2e636329bb31337b2addd14971fd2322b382489af238dd536118490f1e4cdd461b68d666a7b0837404014970c6b2245a1f805074b203111dc7

  • SSDEEP

    3072:itkxMyL+YnNk57n2+d1zyPpwIjbrnHM7kZQ0u/swy/W:igJKKNk57fdB4pwIjbKkeGW

Malware Config

Targets

    • Target

      1[1].bat

    • Size

      158KB

    • MD5

      fe40ee4255d4757724cfca0bc65c2384

    • SHA1

      d012699b807eb5b32909ffdc365897ecc2b46c15

    • SHA256

      2f4252bb9695dd309f064d40d3fa45a122e6a44b3c442bff8d1ee1cd0a27c0fc

    • SHA512

      b58e09d1052c5d2e636329bb31337b2addd14971fd2322b382489af238dd536118490f1e4cdd461b68d666a7b0837404014970c6b2245a1f805074b203111dc7

    • SSDEEP

      3072:itkxMyL+YnNk57n2+d1zyPpwIjbrnHM7kZQ0u/swy/W:igJKKNk57fdB4pwIjbKkeGW

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks