General

  • Target

    BQ_PO#385995.exe

  • Size

    398KB

  • Sample

    241205-p8m2csvra1

  • MD5

    7e3e88fad78dff83ea421084315bfd78

  • SHA1

    2e185874ff61f0097b34ae66cdc09bbbf1951f62

  • SHA256

    26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466

  • SHA512

    432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f

  • SSDEEP

    6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.100.131:7000

Mutex

I1KOVoZcD6Qqbmm9

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Targets

    • Target

      BQ_PO#385995.exe

    • Size

      398KB

    • MD5

      7e3e88fad78dff83ea421084315bfd78

    • SHA1

      2e185874ff61f0097b34ae66cdc09bbbf1951f62

    • SHA256

      26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466

    • SHA512

      432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f

    • SSDEEP

      6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr

    • Detect Xworm Payload

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks