Overview

overview

10

Static

static

5

Quotation.scr.exe

windows7-x64

10

Quotation.scr.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.scr.exe

  • Size

    699KB

  • Sample

    241126-pxbtysxqfj

  • MD5

    c684a63e08404601807c7bd5af233d28

  • SHA1

    d9607463fcf1ce55eb8e5649b65047ee526d8060

  • SHA256

    f0045c024fc4e796911fa5a1e597c22f011723c8301c4a903dc140699a707621

  • SHA512

    ffd030b446965e404fd7b76bf2839a9dd620b4c1ded7e82c6b02f277219514de0489059617bc2ca5b560c767b401630d0b2d34ec056df514771a563a8e0f46cd

  • SSDEEP

    12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLxwxhzZ:ffmMv6Ckr7Mny5QLxwxhV

Score
10/10
xenarmorxwormcollectiondiscoverypasswordratrecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.99.6:7000

Mutex

ZMMi52bfIGvYY0Ok

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Quotation.scr.exe

    • Size

      699KB

    • MD5

      c684a63e08404601807c7bd5af233d28

    • SHA1

      d9607463fcf1ce55eb8e5649b65047ee526d8060

    • SHA256

      f0045c024fc4e796911fa5a1e597c22f011723c8301c4a903dc140699a707621

    • SHA512

      ffd030b446965e404fd7b76bf2839a9dd620b4c1ded7e82c6b02f277219514de0489059617bc2ca5b560c767b401630d0b2d34ec056df514771a563a8e0f46cd

    • SSDEEP

      12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QLxwxhzZ:ffmMv6Ckr7Mny5QLxwxhV

    Score
    10/10
    xenarmorxwormcollectiondiscoverypasswordratrecoveryspywarestealertrojanupx

    • Detect Xworm Payload

    • XenArmor Suite

      XenArmor is as suite of password recovery tools for various application.

      recoverypasswordxenarmor

    • Xenarmor family

      xenarmor

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks