Resubmissions
09-02-2025 18:43
250209-xc9t9azjfz 609-02-2025 18:18
250209-wx2tpsypex 609-02-2025 17:43
250209-wa19naxrgk 1009-02-2025 17:24
250209-vynsssxnhp 809-02-2025 17:01
250209-vjteqsxnds 609-02-2025 14:35
250209-ryd2tatqek 109-02-2025 14:24
250209-rqq2eatnhn 709-02-2025 13:39
250209-qx2k2ssqdw 809-02-2025 13:24
250209-qndgvsslbn 6General
-
Target
test.txt
-
Size
18B
-
Sample
250209-lstmessqft
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
Malware Config
Extracted
xworm
sddgdsfgeds-43448.portmap.host:43448
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
test.txt
-
Size
18B
-
MD5
5b3f97d48c8751bd031b7ea53545bdb6
-
SHA1
88be3374c62f23406ec83bb11279f8423bd3f88d
-
SHA256
d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
-
SHA512
ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Stormkitty family
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
Xenarmor family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Detected potential entity reuse from brand MICROSOFT.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1