General

  • Target

    BuffMailv1.4.4.rar

  • Size

    27.0MB

  • Sample

    250207-qjse8atkfn

  • MD5

    6c33ffdb0e46ae5be463f2d2900666e3

  • SHA1

    b511f9bd5594c979b87467d745c3a58c2ef397e1

  • SHA256

    b77fc2a0a9dc15d6c640955cbc102f2746840a8f18021a599bfa76d9d253f72d

  • SHA512

    fa623183e87adbb3b463e513ebdc6bfef9a1fe24c61c960af954cad3ba2ffce3247d64ef0612d541cbb19f6c41643c683631888ba926d79d5a9855e749b418bd

  • SSDEEP

    786432:H9Wg6FBwOgzrLGJkAFR4pilO+Z7GbG0tqqhuiGQajcT:YdBwO7OCRHlOu8tLETQac

Malware Config

Extracted

Family

xworm

Version

3.1

C2

daddy.linkpc.net:7000

Mutex

nBfLrI3THCbr8hBO

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      BuffMailv1.4.4/BuffMail_.exe

    • Size

      17.4MB

    • MD5

      1786e0965be5615a3d534f0e75740624

    • SHA1

      8c2e582e9968f2628f125e2126654ac89eb03051

    • SHA256

      1ed7982878b5d80d819d4aaab2b9fc3ef8a78a4fbc45e40476955b6b34d6e353

    • SHA512

      c6c7451a98352f82cc090f722eb8d981ccdab33e4124d789a17fc9475f45cd93603dae9a2e76d7fe1b43d78f269245f17c28c44b679952a91d58cb4701924673

    • SSDEEP

      393216:rV/8SWg6F1PwO85zGGAkIDMcJ6V9AFlBpWaBUk4pfKlO88wuCfDuHb+:Z9Wg6FBwOgzrLGJkAFR4pilO+Z7Gb

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      BuffMailv1.4.4/srv.dll

    • Size

      5.3MB

    • MD5

      288376007e075bb3c3c26d3ee73e730e

    • SHA1

      90d74a9cac49643b7a761fe7aefd4c75dc393591

    • SHA256

      1df077f2d01274acbfad03d58851d43c24bab7f496e16d45af84e8bc7f0b4bea

    • SHA512

      c4e80f34770651f2dbee11210dc609e76590fb9fc9801a13585c48bdcfd1ab558607701ac91bcf556778cfb697e8d7c75430bd98bfc6013d16cc9a1047ef9340

    • SSDEEP

      98304:zHMZjcJ6rKbkVGUJyQFX46B/ehybvkWyR9JcCkgxMTjMoU95vbr/KKNBC/tR:gZe6WwckwukWKFm0vbL

    Score
    1/10
    • Target

      BuffMailv1.4.4/stk.dll

    • Size

      4.8MB

    • MD5

      84a0562c63f673277fee115a73fc25ee

    • SHA1

      295801e535546c4a90b3fb29fe3aa9c34a72a0b0

    • SHA256

      41da8ab7da5754c6db9611777d455865b8fe53c575468560eb872d8544b75c56

    • SHA512

      7f0cf491b1412bfae7d60a216ee866d866e56d6c3e8bbba67cfbd7364bac6ffd053f918097cbd73e2734d6e4a64ec4172923408f63dc781c5b3c90e9203cc52e

    • SSDEEP

      98304:leM6mfgQmiiqsUSry16H74I42WQob8beKnLta2u/thjIn0z2:UekrJ+o89d/njI0z2

    Score
    7/10
    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks