General

  • Target

    49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286

  • Size

    376KB

  • Sample

    241211-lafb3s1lcl

  • MD5

    674698ce43b5028c156c8bd9a908dc09

  • SHA1

    5b0517a6f78828b0b139bd6ad8870df3217c9d63

  • SHA256

    49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286

  • SHA512

    24afe9514cd18ce8cb17a174f1e6a5f31aa82631a4f844ce7b2d08ffab4fcfb9cd8e757584717f003ad0e23f8d1dd9769e42996f198668fbe7582e2a660aa451

  • SSDEEP

    6144:CmR7q+dL+PNCT/OPmt8/ixYyuoKPadiiA3DJeHcsNjxbbjcqmllTFQurRI9l:CmR7RdL+PmKhyU7sHcsxxbbopDmm29l

Malware Config

Extracted

Family

xworm

Version

5.0

C2

69.174.100.131:7000

Mutex

MruG8tu9BvvVUsIA

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

69.174.100.131:6606

Mutex

abkZfsCYRZhk

Attributes
  • delay

    10

  • install

    false

  • install_file

    order.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Your file name without extension goes here.exe

    • Size

      378KB

    • MD5

      fbf8e3dc8cbcf036474e0a43a27aa8bd

    • SHA1

      ae8404bdaa3c6a8e115f208f4a63d971061045f9

    • SHA256

      8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e

    • SHA512

      4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa

    • SSDEEP

      6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • UAC bypass

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Windows security bypass

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks