General

  • Target

    bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895.exe

  • Size

    464KB

  • Sample

    241107-dnqqzathkh

  • MD5

    52625f5f6f0a73342fd19a10946563be

  • SHA1

    b048bc9baf7e11f4b65c779e8eada27244c13bb8

  • SHA256

    bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895

  • SHA512

    39c0b784c663e30ff14bcaa5ee40a4dcde9303bab810e2253678f554bc4514836efd49b61175e307a6772142394b94ed1f5455dabbe28a295d61c8255ecbf8c4

  • SSDEEP

    6144:3ivSaPZbhGa/X/gSEmepzPuAPJvmdXKWXlpsSj1ddDYFkFnT9PCqgiRKovv:zaPZbEeX/3etPJsvsmKY9qqpjv

Malware Config

Extracted

Family

xworm

Version

5.0

C2

weidmachane.zapto.org:7000

Mutex

Y3sPpIW4xQztdVfl

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

latentbot

C2

weidmachane.zapto.org

Targets

    • Target

      bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895.exe

    • Size

      464KB

    • MD5

      52625f5f6f0a73342fd19a10946563be

    • SHA1

      b048bc9baf7e11f4b65c779e8eada27244c13bb8

    • SHA256

      bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895

    • SHA512

      39c0b784c663e30ff14bcaa5ee40a4dcde9303bab810e2253678f554bc4514836efd49b61175e307a6772142394b94ed1f5455dabbe28a295d61c8255ecbf8c4

    • SSDEEP

      6144:3ivSaPZbhGa/X/gSEmepzPuAPJvmdXKWXlpsSj1ddDYFkFnT9PCqgiRKovv:zaPZbEeX/3etPJsvsmKY9qqpjv

    • Detect Xworm Payload

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Latentbot family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks