General

  • Target

    Azorult 3.3‌.exe

  • Size

    1.1MB

  • Sample

    241214-wrpxys1req

  • MD5

    b91fe4c246efc048b78c9e162754a7a9

  • SHA1

    15e1c4fe989290b07b60f93340476a9ba025bfa9

  • SHA256

    d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf

  • SHA512

    4538a437fb2241ee38b1ab256618bbf2ea752bab92146fbf9138c6dd9585c5a5291155e19c6004372c925f300c0c7cfa87b7dfc467b556e8dbab092d8d04a2d2

  • SSDEEP

    24576:KMyijQZ+ZJLXrfQRTJ6/aIRQbhB0LrKqk:/D0Z+ZZr4RT/I2dB0yqk

Malware Config

Extracted

Family

xworm

C2

146.190.110.91:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Targets

    • Target

      Azorult 3.3‌.exe

    • Size

      1.1MB

    • MD5

      b91fe4c246efc048b78c9e162754a7a9

    • SHA1

      15e1c4fe989290b07b60f93340476a9ba025bfa9

    • SHA256

      d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf

    • SHA512

      4538a437fb2241ee38b1ab256618bbf2ea752bab92146fbf9138c6dd9585c5a5291155e19c6004372c925f300c0c7cfa87b7dfc467b556e8dbab092d8d04a2d2

    • SSDEEP

      24576:KMyijQZ+ZJLXrfQRTJ6/aIRQbhB0LrKqk:/D0Z+ZZr4RT/I2dB0yqk

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks