stealerium

General

Target

PlainX.Crypter.zip
Size

13.0MB
Sample

250127-wwy2eszqh1
MD5

e10e5d43fd0d1ffaff35f5992916204f
SHA1

8b0f6bbfdba45cf09a56b553a1684c5717f1cf2a
SHA256

0bc0e4ad660c382f3291d9cff6e43e4e4f2a6875678b8557bf237f2ef5360eb8
SHA512

4f85ee02468327eab59202f4db325437e9636f7104f751619f642cf7f3eadb34952132d64d55dfee6d7635d94b21b8dba0e35ba62af5856f69aa238bc080c1bb
SSDEEP

393216:SrNev055XcxGsyF37u/md7uB1tzfSyhMO:SrVjXUG3kmd7uB1tzfSyiO

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WcpxqjjxSrB6UOUw

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL
telegram
https://api.telegram.org/bot7483240807:AAHWuUBi6sW9ZOb0kfXVbzbMVyLtPj-9vZY/sendMessage?chat_id=5279018187

aes.plain

Extracted

Family

stealerium

C2

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Targets

- Target
  
  Guna.UI.dll
- Size
  
  1.1MB
- MD5
  
  8673eae95d67e5eb19f0eca3111408e8
- SHA1
  
  ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb
- SHA256
  
  576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d
- SHA512
  
  65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239
- SSDEEP
  
  24576:hUsmpWNSUFmCqJPNsTuJDYYviEcHy1t6Y:hSUQWSF8q
Score

1^/10
behavioral1 behavioral2
- Target
  
  PlainX Crypter.exe
- Size
  
  13.1MB
- MD5
  
  e02070f24247621be04948fefe100a81
- SHA1
  
  e41afedf121e07b6598355562fdf5725a5dc4064
- SHA256
  
  d087091be3376d85fc1d39523f82ebe1d01b7ac4e4d10f1855f374498fddcc71
- SHA512
  
  ca39dbf2f1b9a6d3071e2d18e51ed9d5f222ed4155721faebcf72c2aad929607a027eaf5d1f0942d4c6827260ff3be6d2516e5d4f26a7fd0e53eb5e39a261dfc
- SSDEEP
  
  196608:M9dla9WjVQJz4JuRuVXt7teDDT5A0GJLz8o2Z/NA1cV1zoXfKNPqxTP6fHrCoz/B:M9dfdXtWDT5no2Z1Wcb0IPuC/r/ya+8
Score

10^/10

stealerium xworm discovery execution persistence rat stealer trojan
- Detect Xworm Payload
- Stealerium
  An open source info stealer written in C# first seen in May 2022.
  stealer stealerium
- Stealerium family
  stealerium
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4