General

  • Target

    EzFN-Manager.exe

  • Size

    11.3MB

  • Sample

    241128-c2g6ba1pet

  • MD5

    4d909890fee721be5605f2b64bdf72fb

  • SHA1

    82fb1d4769025e27cda5e399ddbfb57b21e7b559

  • SHA256

    2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79

  • SHA512

    43aa1089f736c181d330e2adb1d6622d4f60ca6aac36206bc79e34e1330c945c64d139e9a59600cd17571d595cd1ed4a3f88e05b55f7abd6784f0c4eb22fc5de

  • SSDEEP

    196608:Sa1bPAaYyCtOPI1GIPxSYWnuOKVKxP19TjGe2g/CZqMlEkUb1zBzs:SnMPJIZSY2TKV29vGeTKZqMlEkUxzB

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1309150098055495793/k9e9xgOw-6_C2plzzrJuXKnk0n6rjOfFwyNN15kYdvJC528Av5hMa6QHDC_kqeEBzjsS

Extracted

Family

xworm

Version

5.0

C2

ezfn57.serveo.net:4782

Mutex

UoXEvvukylvflHuQ

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinRar.exe

aes.plain

Targets

    • Target

      EzFN-Manager.exe

    • Size

      11.3MB

    • MD5

      4d909890fee721be5605f2b64bdf72fb

    • SHA1

      82fb1d4769025e27cda5e399ddbfb57b21e7b559

    • SHA256

      2abb6eefa29e46e8580cfb9f4eff67913423197ed103b694e4158e0e6ed2ba79

    • SHA512

      43aa1089f736c181d330e2adb1d6622d4f60ca6aac36206bc79e34e1330c945c64d139e9a59600cd17571d595cd1ed4a3f88e05b55f7abd6784f0c4eb22fc5de

    • SSDEEP

      196608:Sa1bPAaYyCtOPI1GIPxSYWnuOKVKxP19TjGe2g/CZqMlEkUb1zBzs:SnMPJIZSY2TKV29vGeTKZqMlEkUxzB

    • Detect Xworm Payload

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks