General

  • Target

    a6153d09a83cd3cf7391fa6bd817a8d7.zip

  • Size

    6KB

  • Sample

    241029-2aw8lasmbl

  • MD5

    a6153d09a83cd3cf7391fa6bd817a8d7

  • SHA1

    db9c08319cd22842a9cdcc5925f46327f2f004fc

  • SHA256

    2aa9509682d45bc187eba3c951ec3841101779d1c93da418cbadbbf0c927c17d

  • SHA512

    69f1fda51aa507260908c2163801b3cf1766d1c3decce6725ac71a8a84a392b0b85dc9bfc9e5fff4ef0773dd791b49410512838daa325ac945060dc336280172

  • SSDEEP

    96:hRzwv4ktECTCMMNzmz0RJ8j6tO6ArGA9oDWzBm2cC2zGlDFsG3M2PyZjVnzN3VSm:/kgk2CX+Kr3iCJc8F9M22z7SWf

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

exe.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

Extracted

Family

xworm

Version

5.0

C2

crypters.ddns.com.br:7000

Mutex

GGGrHP0Odh89zLnb

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat

    • Size

      210KB

    • MD5

      fc162f6d374e3bce9c3130fdcb6b7307

    • SHA1

      a874953f738df2b9c59d52d1262aac387bf26fb7

    • SHA256

      c7b24736650ed6130939821101f4641e1a50a2316f3bbcf974d85c8de585a40d

    • SHA512

      520bf9202494786604d194bf6b23020231810744bbb405c1177ab7ee30c82633027445c3bb4e464cc690e7d7d0b6daaecd0a5884aeebcd585541d746cdf662e8

    • SSDEEP

      6144:vZnip76K90FB+Z7VIuArKAgY2aaOOiuauK+yp8:E

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks