General

  • Target

    login

  • Size

    27KB

  • Sample

    250207-zvdwmsylgl

  • MD5

    d0a165d56b32ea5ea2e0402fc4b48336

  • SHA1

    1deafd5727a8d4d5a0bdcb027e351ea9c9a8a880

  • SHA256

    0a0ddd5f09fbe703ab643b11593b2c4964524cd5290aaab5ed4b22602ecdb473

  • SHA512

    0a9706ebdb6d3c4531898bf79f91005a777a148bc381a90bcc1893ecc3f5fd39f949819f913d620d7b0a839aeeb4382443ec5e3c361000a8011792c948012130

  • SSDEEP

    384:gYm5X477sGGzK+TpQn7M9cyqy/f2f/Yb6WiZDuujffGfMfwepz3syZj5XCqzGX3D:O/+scm2f/Yb6Hhuuj3UWwep7syZ9Cb

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

QzIFGn8iOnGjezTy

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      login

    • Size

      27KB

    • MD5

      d0a165d56b32ea5ea2e0402fc4b48336

    • SHA1

      1deafd5727a8d4d5a0bdcb027e351ea9c9a8a880

    • SHA256

      0a0ddd5f09fbe703ab643b11593b2c4964524cd5290aaab5ed4b22602ecdb473

    • SHA512

      0a9706ebdb6d3c4531898bf79f91005a777a148bc381a90bcc1893ecc3f5fd39f949819f913d620d7b0a839aeeb4382443ec5e3c361000a8011792c948012130

    • SSDEEP

      384:gYm5X477sGGzK+TpQn7M9cyqy/f2f/Yb6WiZDuujffGfMfwepz3syZj5XCqzGX3D:O/+scm2f/Yb6Hhuuj3UWwep7syZ9Cb

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Downloads MZ/PE file

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

MITRE ATT&CK Enterprise v15

Tasks