General

  • Target

    d960d1980fbb7446cab8533dc42ccd13.zip

  • Size

    6KB

  • Sample

    241029-2px4fasnhn

  • MD5

    d960d1980fbb7446cab8533dc42ccd13

  • SHA1

    675b937d9662c2401c362eff917c81a1e8d4a9f1

  • SHA256

    568ba74b8618d572ab754f6f49f1bf0e4d48692c63af13a5128273b88895b4ee

  • SHA512

    70d4d4cf3bbe99b1509862fc75ea99e3b769279f8de55fb4ecbe5fc0c7a09af75c19bdbaf6c16e60cbc1263eb0388cb7c367fc929b05da6cb25abebc1f3fed46

  • SSDEEP

    192:42q2oqDKUSMkUcWDHqyT2GlT6TbrKpknbjCSz40I2e24:9dSoKnDKpI3CSk0i

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

exe.dropper

https://github.com/CryptersAndTools/Upload/blob/main/new_image.jpg?raw=true

Extracted

Family

xworm

Version

5.0

C2

crypters.ddns.com.br:7000

Mutex

GGGrHP0Odh89zLnb

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      TRANSACCIÓN Pagar proveedores ha sido Aprobada.bat

    • Size

      210KB

    • MD5

      578af000aed63fa1ede68df809e4ecf1

    • SHA1

      8d4879bda890604c497961d1a7fa629d857392eb

    • SHA256

      063e9da93b4d0e7b9f9e78911962cb83fcb02d648fb8be4e4cfa24f4a828367d

    • SHA512

      0a88222d321d8f2367d12bfaa85e0816960277953437da758d480efb2cfdc4cb444e897ec8060a5b684af749b95f2a615f87c5ede99bb6847b96f5be45b48829

    • SSDEEP

      6144:vZXTzJ4W13nUOtjrquYrggU6qgAKggmcWg2w08:2

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks