General

  • Target

    LYM products new order PO 20250200099 LHG on.pif.exe

  • Size

    6KB

  • Sample

    250323-21p7zayyfw

  • MD5

    087bad0a8e51d9b9c207ce0ab1078fbd

  • SHA1

    1d7faf39196449e3149c15ce6282f3c3d52da8f7

  • SHA256

    abd033ee116082febb4bb391ee36cde8af7b67643a41750bb79ea66bc327ee78

  • SHA512

    1df49fdbb7d17c16e30575fa322d2d039fb2ed9624e8ebc7ffc712be16e513f4c9bbb8bd70da8bca20e16e3fc2fbeebf30c21bf293bc1b7ab254e01c221e3e75

  • SSDEEP

    96:cFGNMBB2qTdc/4wnas4hyj3tnjqC9XbYtNgV1kPzNt:FqBB2qTdc/bQhy39j5MG6

Malware Config

Extracted

Family

xworm

Version

5.0

C2

bin12.ydns.eu:4050

bin14.ydns.eu:4050

kingsbkup1.ydns.eu:4050

smfcs1.ydns.eu:4050

smfcs3.ydns.eu:4050

Mutex

8e2oXK285cheLv6o

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      LYM products new order PO 20250200099 LHG on.pif.exe

    • Size

      6KB

    • MD5

      087bad0a8e51d9b9c207ce0ab1078fbd

    • SHA1

      1d7faf39196449e3149c15ce6282f3c3d52da8f7

    • SHA256

      abd033ee116082febb4bb391ee36cde8af7b67643a41750bb79ea66bc327ee78

    • SHA512

      1df49fdbb7d17c16e30575fa322d2d039fb2ed9624e8ebc7ffc712be16e513f4c9bbb8bd70da8bca20e16e3fc2fbeebf30c21bf293bc1b7ab254e01c221e3e75

    • SSDEEP

      96:cFGNMBB2qTdc/4wnas4hyj3tnjqC9XbYtNgV1kPzNt:FqBB2qTdc/bQhy39j5MG6

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks