General

  • Target

    28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe

  • Size

    192KB

  • Sample

    241216-tjljfsvkb1

  • MD5

    18a79c670207a856be0fcbc58a4c6b70

  • SHA1

    8fe96a186e90dd0ce306fcfbe54056ae1c5ecf07

  • SHA256

    28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0f

  • SHA512

    005ceb943b073f8707afd91f468e87098c7add930cd97ea668de4937ec441fa6d593b5f9dd07b53a9949cdbf3187d11b864261d7d53eddea55b9d9a9d0ad82bf

  • SSDEEP

    3072:EGPMlTjUYLCLoz12cFfi0HDYaKf7/t5uXwEdeTuTROMX9:ePaoUZOMHf7/tQ1eTQ7

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

xworm

Version

5.0

C2

ingles-52514.portmap.host:52514

Mutex

9Vc1HafYmpvbkdVv

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0fN.exe

    • Size

      192KB

    • MD5

      18a79c670207a856be0fcbc58a4c6b70

    • SHA1

      8fe96a186e90dd0ce306fcfbe54056ae1c5ecf07

    • SHA256

      28a0058cbb3eb467a650f4589dab9d2ab12765ea07d28534bd69351dc6093e0f

    • SHA512

      005ceb943b073f8707afd91f468e87098c7add930cd97ea668de4937ec441fa6d593b5f9dd07b53a9949cdbf3187d11b864261d7d53eddea55b9d9a9d0ad82bf

    • SSDEEP

      3072:EGPMlTjUYLCLoz12cFfi0HDYaKf7/t5uXwEdeTuTROMX9:ePaoUZOMHf7/tQ1eTQ7

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks