General

  • Target

    https://gofile.io/d/lkw1cL

  • Sample

    241219-3h1restjaw

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

UMQZb5rpS8DkO7oc

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Targets

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Skuld family

    • Skuld stealer

      An info stealer written in Go lang.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Disables Task Manager via registry modification

    • Modifies Windows Firewall

    • Server Software Component: Terminal Services DLL

    • Allows Network login with blank passwords

      Allows local user accounts with blank passwords to access device from the network.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks