General

  • Target

    MOF%20PRODUCTION%20SDN%20BHD%20STATEMENT%20ACC.zip

  • Size

    814KB

  • Sample

    241206-kvyhqavqam

  • MD5

    64f299dc2b09c663c95031ec9b0fab53

  • SHA1

    ed22cd1ee11357ea70565c6f020a0c9092a0a136

  • SHA256

    6d9c0d9c7b1d0f53b585be342a9aba75ace2cfaa5293983225781d8eea9d9557

  • SHA512

    bd36c4a0732a8f6fdde56d47fea6549fb11defd38f9b2a757fd8e20f3a406071221b64e486075276fdf3476c7d19b3e329481dfd31954dd16f9dc3618b6d5083

  • SSDEEP

    24576:IJeEG8fuYFxFTzPGJ3tf9+5NngdV1/poKBwnl:IJA8vnFTzPOV+5Ngdrpyl

Malware Config

Extracted

Family

xworm

Version

5.0

C2

odogwu.mysynology.net:7000

Mutex

ivfnkhmgsIavIQ0A

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      MOF%20PRODUCTION%20SDN%20BHD%20STATEMENT%20ACC.zip

    • Size

      814KB

    • MD5

      64f299dc2b09c663c95031ec9b0fab53

    • SHA1

      ed22cd1ee11357ea70565c6f020a0c9092a0a136

    • SHA256

      6d9c0d9c7b1d0f53b585be342a9aba75ace2cfaa5293983225781d8eea9d9557

    • SHA512

      bd36c4a0732a8f6fdde56d47fea6549fb11defd38f9b2a757fd8e20f3a406071221b64e486075276fdf3476c7d19b3e329481dfd31954dd16f9dc3618b6d5083

    • SSDEEP

      24576:IJeEG8fuYFxFTzPGJ3tf9+5NngdV1/poKBwnl:IJA8vnFTzPOV+5Ngdrpyl

    • Detect Xworm Payload

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks