General

  • Target

    aquatic.rar

  • Size

    32.9MB

  • Sample

    241213-sv4zhavjcl

  • MD5

    5bd8314885aa5941e4e7d3fd1cd08c9e

  • SHA1

    a8ee58da352c44dfe6d6659c6e3c1d0899638c26

  • SHA256

    e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f

  • SHA512

    99f559d1866ebead5337de3098dc295ef8032bc59db8eb2d1f9853f559f574215743ace7fe386908818f190800403bdc41c981dfd9b3279851ff3c835256293e

  • SSDEEP

    786432:c/lq+fejuFKsmOgrsiZbH0DlOy6m4cy5dJulOg1ns+RoDlQl/y:c/E/jYZfjidEE6ybJ61nR6Qlq

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Targets

    • Target

      aquatic.rar

    • Size

      32.9MB

    • MD5

      5bd8314885aa5941e4e7d3fd1cd08c9e

    • SHA1

      a8ee58da352c44dfe6d6659c6e3c1d0899638c26

    • SHA256

      e480c8945eb3750a57c2544a72059177b7b8cebdb0814c9e0155165daf83c53f

    • SHA512

      99f559d1866ebead5337de3098dc295ef8032bc59db8eb2d1f9853f559f574215743ace7fe386908818f190800403bdc41c981dfd9b3279851ff3c835256293e

    • SSDEEP

      786432:c/lq+fejuFKsmOgrsiZbH0DlOy6m4cy5dJulOg1ns+RoDlQl/y:c/E/jYZfjidEE6ybJ61nR6Qlq

    • Detect Umbral payload

    • Detect Xworm Payload

    • Njrat family

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Umbral family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks