Resubmissions

01/02/2025, 04:36

250201-e8fbeaslav 10

General

  • Target

    ShibaLoader.bat

  • Size

    48KB

  • Sample

    250201-e8fbeaslav

  • MD5

    cf03d51ea7c92f39c049a8bac53e600b

  • SHA1

    bca665f956cc89dbca11c6f0123a6a3c09862369

  • SHA256

    f380251e8bbf78c8dfb3e9a42061b2c33fafb4ac521d24644d4489cb6a39e77d

  • SHA512

    430c07e508a15506c4a7ac1934314a793c96084bdc60c8bba5283ef402097212f7407207a5b071aade0d62f3b2fd44d622fae8d76fa1f8507b8106d702ce75f3

  • SSDEEP

    768:dGF+McQHCeIB8kNaScUpGsn47DhizLVN7FSi2Vw7vDeBdE7bcjXIJD6na:q9c2CPB8OZc3ss8ThP7vis7wj4JDv

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:25811

8.tcp.eu.ngrok.io:25811

Mutex

S18UdfokIrz0cmvm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      ShibaLoader.bat

    • Size

      48KB

    • MD5

      cf03d51ea7c92f39c049a8bac53e600b

    • SHA1

      bca665f956cc89dbca11c6f0123a6a3c09862369

    • SHA256

      f380251e8bbf78c8dfb3e9a42061b2c33fafb4ac521d24644d4489cb6a39e77d

    • SHA512

      430c07e508a15506c4a7ac1934314a793c96084bdc60c8bba5283ef402097212f7407207a5b071aade0d62f3b2fd44d622fae8d76fa1f8507b8106d702ce75f3

    • SSDEEP

      768:dGF+McQHCeIB8kNaScUpGsn47DhizLVN7FSi2Vw7vDeBdE7bcjXIJD6na:q9c2CPB8OZc3ss8ThP7vis7wj4JDv

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks