General

  • Target

    XWorm-3.1

  • Size

    264KB

  • Sample

    241223-y1t95szmew

  • MD5

    6ece5f89f022b233021f2f652c0a1990

  • SHA1

    d6bc0647ba593b2ce55d99901b738a0f83db1f9f

  • SHA256

    fbdb43f4a3166b501fa8ca25979ff8d95307114592c03cd9f472c56503af32ef

  • SHA512

    67b9e8786d34041e29318bc3e66cd307d11a0961aeddfa9b7353075a9ef47ff0eab99a0ca2dedefbf94d3b2e73692e09557dbe21adede775b68ee954e65d8152

  • SSDEEP

    6144:DKNPepOL/saqkPV9Fe2LtcIDSsmw19tvZJT3CqbMrhryf65NRPaCieMjAkvCJv1r:mNPepOL/saqkPV9Fe2LtcIDSsmw19tv2

Malware Config

Extracted

Family

xworm

Version

3.1

C2

next-screening.at.ply.gg:48590

Attributes
  • Install_directory

    %AppData%

  • install_file

    chrome.exe

Extracted

Family

xworm

C2

127.0.0.1:666

180.ip.ply.gg:666

Attributes
  • install_file

    USB.exe

Targets

    • Target

      XWorm-3.1

    • Size

      264KB

    • MD5

      6ece5f89f022b233021f2f652c0a1990

    • SHA1

      d6bc0647ba593b2ce55d99901b738a0f83db1f9f

    • SHA256

      fbdb43f4a3166b501fa8ca25979ff8d95307114592c03cd9f472c56503af32ef

    • SHA512

      67b9e8786d34041e29318bc3e66cd307d11a0961aeddfa9b7353075a9ef47ff0eab99a0ca2dedefbf94d3b2e73692e09557dbe21adede775b68ee954e65d8152

    • SSDEEP

      6144:DKNPepOL/saqkPV9Fe2LtcIDSsmw19tvZJT3CqbMrhryf65NRPaCieMjAkvCJv1r:mNPepOL/saqkPV9Fe2LtcIDSsmw19tv2

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • A potential corporate email address has been identified in the URL: currency-file@1

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks