General
-
Target
https://cdn.discordapp.com/attachments/1269725565804351528/1303082401160888463/Code_Stealer_BYVOLT_X.exe?ex=672a758e&is=6729240e&hm=218b73c4d2eb770bd971345ab11cd5fda9500d671927c0eacb6f10946f143bde&
-
Sample
241105-al4m9szgqf
Malware Config
Extracted
xworm
147.185.221.21:27938
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1269725565804351528/1303082401160888463/Code_Stealer_BYVOLT_X.exe?ex=672a758e&is=6729240e&hm=218b73c4d2eb770bd971345ab11cd5fda9500d671927c0eacb6f10946f143bde&
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Downloads MZ/PE file
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1