General

  • Target

    XWorm-RAT

  • Size

    286KB

  • Sample

    241205-n96pestmgz

  • MD5

    3e93b5fa005b274eb84d23478ec99b48

  • SHA1

    a0952ac33f53143430b3d95f8d040fe43244b107

  • SHA256

    bcd1d83e9ada9ee87dc4b81ae89bf9ec7ff393291498a06a6fdd1beda496e947

  • SHA512

    5339e319df657b7b366129b27141ac6f2e668f668e6916977f9506127df3777b68e64d587757525bcdcfc4f5f4236a0433923bc38819d84226aec0a0892dd313

  • SSDEEP

    6144:1yssgpOL/saqkPV9FemLtcIDSsmwf9KvZJT3CqbMrhryf65NRPaCieMjAkvCJv1j:kssgpOL/saqkPV9FemLtcIDSsmwf9Kvs

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

LDr3dSUbweENStU4

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb)%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%84%20-%20BrowserDownloads.txt%20(0.21%20kb

https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendMessage?chat_id=2024893777

https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/getUpdates?offset=-

https://api.telegram.org/bot7661594921:AAFaXMAKOmV5u6KsEaGlDyc48-xcrQUMR_U/sendDocument?chat_id=2024893777&caption=%F0%9F%93%B8Screenshot%20take

Targets

    • Target

      XWorm-RAT

    • Size

      286KB

    • MD5

      3e93b5fa005b274eb84d23478ec99b48

    • SHA1

      a0952ac33f53143430b3d95f8d040fe43244b107

    • SHA256

      bcd1d83e9ada9ee87dc4b81ae89bf9ec7ff393291498a06a6fdd1beda496e947

    • SHA512

      5339e319df657b7b366129b27141ac6f2e668f668e6916977f9506127df3777b68e64d587757525bcdcfc4f5f4236a0433923bc38819d84226aec0a0892dd313

    • SSDEEP

      6144:1yssgpOL/saqkPV9FemLtcIDSsmwf9KvZJT3CqbMrhryf65NRPaCieMjAkvCJv1j:kssgpOL/saqkPV9FemLtcIDSsmwf9Kvs

    • Detect Xworm Payload

    • Gurcu family

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

    • UAC bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks