General

  • Target

    file.exe

  • Size

    1.8MB

  • Sample

    241212-s62zaa1kfk

  • MD5

    58f824a8f6a71da8e9a1acc97fc26d52

  • SHA1

    b0e199e6f85626edebbecd13609a011cf953df69

  • SHA256

    5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17

  • SHA512

    7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

  • SSDEEP

    49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:8080

101.99.92.189:8080

Mutex

d5gQ6Zf7Tzih1Pi1

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

invictastealer

C2

https://discord.com/api/webhooks/1284928312644210758/NMr-jAIuHGcipUibd7yBiXxOZi0wJo9DYokyl6ErP_A2ww1OULjv48d2__GYb89K8I_O

Targets

    • Target

      file.exe

    • Size

      1.8MB

    • MD5

      58f824a8f6a71da8e9a1acc97fc26d52

    • SHA1

      b0e199e6f85626edebbecd13609a011cf953df69

    • SHA256

      5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17

    • SHA512

      7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461

    • SSDEEP

      49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Invicta

      Invicta Stealers a free C++ stealer with a builder.

    • Invictastealer family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks