General

  • Target

    BQ_PO#385995.zip

  • Size

    387KB

  • Sample

    241205-vlttaazlgj

  • MD5

    a78808c70ac319e7e5be5000e2c62f1f

  • SHA1

    38a90bf6b4335859bf242bb589f00885a104a201

  • SHA256

    dabc8d69b304a27576205cc1054f7ea71ba89cc2ac9026f9863829c7622ba5b3

  • SHA512

    43181a2d0f34aa1c37e7f797383325c10ae72cf5a47563d9bf9e72d750c20b6d25cef46087ec2db8dc67073cfc58d37049efcd988fb5e7e2b765275e2ffe26f7

  • SSDEEP

    12288:tv9V9vuecXR6YQs/SnyuMTpzk8G5Acuvu:7Gej7tjokh5Acuvu

Malware Config

Extracted

Family

xworm

Version

3.1

C2

69.174.100.131:7000

Mutex

I1KOVoZcD6Qqbmm9

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Targets

    • Target

      BQ_PO#385995.exe

    • Size

      398KB

    • MD5

      7e3e88fad78dff83ea421084315bfd78

    • SHA1

      2e185874ff61f0097b34ae66cdc09bbbf1951f62

    • SHA256

      26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466

    • SHA512

      432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f

    • SSDEEP

      6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr

    • Detect Xworm Payload

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks