General

  • Target

    wow.exe

  • Size

    14.8MB

  • Sample

    241217-y12zzsxqcl

  • MD5

    b2c17e4aaa1ab07e2be2c6e08120c7fe

  • SHA1

    67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74

  • SHA256

    d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d

  • SHA512

    5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223

  • SSDEEP

    393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lohoainam2008-36048.portmap.io:36048

Attributes
  • Install_directory

    %AppData%

  • install_file

    Setup.exe

  • telegram

    https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

147.185.221.19:58142

Extracted

Family

xworm

C2

127.0.0.1:48990

147.185.221.22:48990

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchostt.exe

Extracted

Family

xworm

Version

3.0

C2

soon-lp.at.ply.gg:17209

Attributes
  • Install_directory

    %AppData%

  • install_file

    NjRat Dangerous.exe

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

14.243.221.170:3322

Mutex

ynBzTukwLg8N

Attributes
  • delay

    3

  • install

    false

  • install_file

    Clean.bat

  • install_folder

    %Temp%

aes.plain

Extracted

Family

stealc

Botnet

Line

C2

http://154.216.17.90

Attributes
  • url_path

    /a48146f6763ef3af.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      wow.exe

    • Size

      14.8MB

    • MD5

      b2c17e4aaa1ab07e2be2c6e08120c7fe

    • SHA1

      67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74

    • SHA256

      d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d

    • SHA512

      5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223

    • SSDEEP

      393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • Detect Xworm Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Async RAT payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

MITRE ATT&CK Enterprise v15

Tasks