xenarmor | a265e252614455e8eacfd57cbca9c4f8b186453319182fca63af168353ad7db2

General

Target

a265e252614455e8eacfd57cbca9c4f8b186453319182fca63af168353ad7db2
Size

667KB
Sample

250204-vbamnavjbp
MD5

9daa022e0874d317529461eefc6faa3c
SHA1

965f162bd7958ad345afba571939a3446e69a8d7
SHA256

a265e252614455e8eacfd57cbca9c4f8b186453319182fca63af168353ad7db2
SHA512

1465b9a4bda06bf7bd305f7742f42b314bc9d38ed1c36a8c9b726a1dcb8a7b16e9b84c111cf091786da4e7bd36595cf09d2b79a148534d3f6a46ccb113365ea8
SSDEEP

12288:bRnffvIK3k/UnRXulEYk7ZayKHmrqRayct5lSiaggZYnzoAlZMqug5mrbOTZk:bpnJR9Bc1mrqRH0c2n+8mrbok

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

176.96.137.181:1111

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Targets

- Target
  
  invoice.pif
- Size
  
  794KB
- MD5
  
  ab7f5bbd4f9e27f314e85497f6702799
- SHA1
  
  03b2710a8fce806479fcac75eb99ae7f84a6bfb0
- SHA256
  
  7e651b79c6085fe8c784384b8c7e05b57064778f97def56f059cac2ef1a793d9
- SHA512
  
  24b88610be3a1cb26fccba71b40b7e7a221b7b208a0077e504755dfd287d287c056b0a4e64318c1997a5ee26d54ddacc52ddb99e444f72f9497253a631678efd
- SSDEEP
  
  24576:H8S1qRnWMvyCyCzzK2mRtgJxMHMXBc7qEx:QnW2yCyCzERuJxmMxcP
Score

10^/10

xenarmor xworm collection discovery execution password persistence rat recovery spyware stealer trojan upx
- Detect Xworm Payload
- XenArmor Suite
  XenArmor is as suite of password recovery tools for various application.
  recovery password xenarmor
- Xenarmor family
  xenarmor
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2