blankgrabber | ace47168d15ff37ea019a11bc0ad4f5353d277a9a9ebee6eeccb3101727cfb73

General

Target

w.zip
Size

7.7MB
Sample

241128-xaz72awmbt
MD5

9d50cd54890adf361bf032cc719d72cd
SHA1

7a82332c39a7aede83a9b92c98b4f6ff982b0fff
SHA256

ace47168d15ff37ea019a11bc0ad4f5353d277a9a9ebee6eeccb3101727cfb73
SHA512

19ebe2b83023b1c0b394ffaaffa5812c43c45ba870fe8293c6b393fe33df9abd0606c22b1ae3870431fa899e6e88f5a9969fb79f208c16ded020d5d81ae2fadc
SSDEEP

196608:PhyiwlApBaKR+w7tqsiNtGROHDqJhafp/VSFtMX30I8/rS:yApR+4tHiNtGRaG00FtJm

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.216.19.12:7000

Mutex

NuXVPKhDBKHTLExY

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk

aes.plain

Targets

- Target
  
  win12.exe
- Size
  
  7.8MB
- MD5
  
  1f9e89517854258c99877b23abe2e045
- SHA1
  
  bddfa736ca2b22faa1e566f365c38f28b806bc95
- SHA256
  
  6f32596ebd4cb3ac5feb00f1b3f71ed03eb28db04df44d878c6531240b1f3171
- SHA512
  
  9659bf4f6d515e0338af4ada26d2bb31e2eb046f0ac9811b5d509c2edfa0d64957efcf53a0fb3c484b45469b9d7ff759eb268b4d478e0205e3bf7a9f6af36672
- SSDEEP
  
  196608:45/HYUwfI9jUCzi4H1qSiXLGVi7DMgpZ3QJVM9QwCEc/jM:iYIHziK1piXLGVE4UeJV5g
Score

10^/10

upx xworm collection credential_access defense_evasion discovery execution persistence phishing privilege_escalation rat spyware stealer trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- A potential corporate email address has been identified in the URL: FluxJacker@mrfluxdevNewCLientFBB2DBF07DEA74533A82UserNameAdminOSFullNameMicrosoftWindows10ProUSBFalseCPUIntelCoreProcessorBroadwellGPUMicrosoftBasicDisplayAdapterRAMErrorGroupFJv1snew
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2