General
-
Target
File_Generated_Time20241110.zip
-
Size
102.5MB
-
Sample
241110-vjr7nszqfv
-
MD5
201e30c4cf894d891d424fb1f2c7fb89
-
SHA1
2a0a7af1da539a049d55d29c5d54c70c6b16354f
-
SHA256
6855b69e5fbe040daa2fd589b27a8af01906a6dce1e86378e583b07bd8deb218
-
SHA512
bed0f34f6294c2eb03a463340b5f2118bacab62228a5b956ee428111f21fa5e86a24a52b85822159abd74a8313cdfd98784c823c03426898f4f0fcaa90f8a383
-
SSDEEP
1572864:RI4+JDPUMCS+tm9Z9/MKYEW81Y+M7DhxVDuYlcmLF2oBlihckPgs+r/rY91:2hRcMQ69UKYEW8a+M/h3LB3i+kD+rzS1
Malware Config
Extracted
xworm
5.0
merrymerry.zapto.org:25909
KfT8ign3kf9CW752
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot8094840865:AAGswv-hfDjO1LeJ7tJ7YmdNOxK_XwZm2Us
Targets
-
-
Target
File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
-
Size
104.2MB
-
MD5
723110b324b4905d3d6bfe963361658c
-
SHA1
5a8cff10b53be32c8aaef8fae89eec68d6fa2821
-
SHA256
c57f3bd1eab2436acfb3f0311bfb0279a0bc1ab71bff789a7c4f2b12376aa683
-
SHA512
ef7118124ff5a7177d1d6f7a1db6d17b44816823cefb0ba85a3391e223ad1b56b8f048dfcc2d9040a858e854645005c70eac40343e037caee5474376bf65ac55
-
SSDEEP
1572864:cYvDRuqm3HiU2FE3SxJQqGZKr4u3nOlhDZ3nma8La8La8La:cIo53FHixqqGMr4u3OhDZ3d8m8m8m
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1