General

  • Target

    EQ_AW24 New Order Request.xlx.exe

  • Size

    656KB

  • Sample

    241105-rfhbhsvmgm

  • MD5

    ca2ed1b927f4bee1cd1f24bb19f4c0e1

  • SHA1

    d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d

  • SHA256

    030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b

  • SHA512

    153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7

  • SSDEEP

    12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi

Malware Config

Extracted

Family

xworm

Version

5.0

C2

176.9.162.125:4060

Mutex

znPInVDrQ2IiwTWB

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      EQ_AW24 New Order Request.xlx.exe

    • Size

      656KB

    • MD5

      ca2ed1b927f4bee1cd1f24bb19f4c0e1

    • SHA1

      d1b7dc1cc0412301c61660d0d5cb02d20a6aa77d

    • SHA256

      030324e0a31427fd63213acd29f3cdf5b445a6ec03eb803fb08dbf3a0c1b258b

    • SHA512

      153939e1eeaeb2e3d4fc9f487ce039fde403a18ea94466c55c53ce5e00aefa59ae3324c03687c1794c7d321da9b2dced1bca2a658d5da54e0acb76dfff4d3da7

    • SSDEEP

      12288:cT02YrvZq2mPKxG3sfYFwJH9ZzkwGQWOsKWLCp6X9uruAK5Gi:cTbYdqfKxG3swyVk7QWOhW+p6NBAWGi

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks