Overview

overview

10

Static

static

10

Xeno-v1.1....no.exe

windows7-x64

7

Xeno-v1.1....no.exe

windows11-21h2-x64

10

Xeno-v1.1....UI.exe

windows7-x64

10

Xeno-v1.1....UI.exe

windows11-21h2-x64

10

Xeno-v1.1....UI.exe

windows7-x64

10

Xeno-v1.1....UI.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Xeno-v1.1.3-x64.rar

  • Size

    14.2MB

  • Sample

    250211-wybznswlev

  • MD5

    33c462d92c1fd50b190c7e1a9bf81b83

  • SHA1

    2b10cb847946fa1a44bbdf26da10003574ce8f01

  • SHA256

    ad23e27a15e3d2451162bdfa17c56a26e4ee9c8892ab6964275d9dedbdff84b5

  • SHA512

    75212f758ebac8405465b4a98c3559f0f9f546929925eca52c43af9137db5077ec785caa3b36ee1ec6d5fbc94c1f6a36b9feaf427baa065e6b9b95706640f24a

  • SSDEEP

    393216:DaGqi2oTzgVZMgXtLNm0+0DS1psZ6QMqMGpq3/Lv:7qN6gQg9LNhFm164QM/Gpq3/Lv

Score
10/10
exelastealerxwormcollectiondefense_evasiondiscoverypersistenceprivilege_escalationpyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:5552

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      Xeno-v1.1.3-x64/Xeno.exe

    • Size

      10.8MB

    • MD5

      a10ae5339c94657875b5991d2b4fb0d0

    • SHA1

      6bd22c7d3e7ad538e2d8da2ea1e20257795994eb

    • SHA256

      0f669ab830e863c182ec5573e59625f76b69db6963e78c868c76e74128f86e2b

    • SHA512

      ac15657ed86595279cf2f529a917040a2687e49c953f36973c28147c95fd8d8787df008526c1d4ca5cfdb14d32c1f465242f0f552f264499b476ee3531a7e2ab

    • SSDEEP

      196608:M+AQcHKApx3ivNm1E8giq1g9mveNo+wfm/pf+xfdkR6HAxKwCr2WOHWKD3beH:6Qctn3i1m1Nqao+9/pWFGRZ0br2W673k

    Score
    10/10
    discoveryupxexelastealercollectiondefense_evasionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Exelastealer family

      exelastealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      defense_evasion

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Xeno-v1.1.3-x64/XenoUI.dll

    • Size

      95KB

    • MD5

      0c693fdf5031de28e139121866d4e71f

    • SHA1

      d4e3f81ce0ac00efbc537b6aa4ebc07f039aaf9a

    • SHA256

      3788b42e87c69c077868856b07c03e8606e0f49389c947231701100d99337e1c

    • SHA512

      4298a579eea032e794ac4aaa2e18c793fbe0d3f33a2f8e948fde510427e604f06072b71703183c9ca88c73a805627187241f47845a9f16822243388ae5cb42af

    • SSDEEP

      1536:gOTgjZ0JbSfMuafhOWR42zxMVY6dTPr/Wa5iiphLuM/APHV5y6SlSW8zXR:bT+WytdTPr/WAbK7Pby6S+zXR

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      Xeno-v1.1.3-x64/XenoUI.exe

    • Size

      82KB

    • MD5

      cead4ff10b38e2da24c55582ce8602ea

    • SHA1

      efbf5d6df5a8a928d8b2a00f14c94472d5708b32

    • SHA256

      3da936a74e79a858404e820a7d0f9efd290d9299dd49a55305a865d07bd3d69a

    • SHA512

      fc599e31caad9cec48143a8d1ad8536e6af980a5b98350c44d15ae81c9eb8e7141c1e0ca3a5896f45a0322dd97794c6cbb7c6dcbbed83f1f2f79ec59ac8b7140

    • SSDEEP

      1536:IwIP5m99SZpD039LVdjMYWI7976Ob6G70ML476MrnEOstXl6daRG:IDo9wA9vjMSGOb6Gz4trEOsb6oG

    Score
    10/10
    xwormrattrojandiscovery

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Downloads MZ/PE file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks