General

  • Target

    ORDER NAME MV MYNY IMO.exe

  • Size

    6KB

  • Sample

    250323-27e1ksy1bz

  • MD5

    ba18f4e4a8a2b81de4a47a93a02fc8b5

  • SHA1

    07893f128df30f82811503fa567baae1751bbac8

  • SHA256

    3bf9df96547c080c337ac832dbb50f0bd779e3fe6c7ce7db47a827aa74fc4764

  • SHA512

    8f0bf7af99db9d527adb292cbec0d344da8b80455d161fc8c1f907e53c114e317d01a25591699bf7e540c0cf16f584cfc78ba1b25321b4e7912d646dd51343e5

  • SSDEEP

    96:Y8OQCtGcR3Bpbp2byj3t50sTbPRMk5fPzxtNAZKzNt:jCtGcR3Byy3nzeklN6s

Malware Config

Extracted

Family

xworm

Version

5.0

C2

bin12.ydns.eu:4050

bin14.ydns.eu:4050

kingsbkup1.ydns.eu:4050

smfcs1.ydns.eu:4050

smfcs3.ydns.eu:4050

Mutex

HBJF3rW4RSROdudO

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      ORDER NAME MV MYNY IMO.exe

    • Size

      6KB

    • MD5

      ba18f4e4a8a2b81de4a47a93a02fc8b5

    • SHA1

      07893f128df30f82811503fa567baae1751bbac8

    • SHA256

      3bf9df96547c080c337ac832dbb50f0bd779e3fe6c7ce7db47a827aa74fc4764

    • SHA512

      8f0bf7af99db9d527adb292cbec0d344da8b80455d161fc8c1f907e53c114e317d01a25591699bf7e540c0cf16f584cfc78ba1b25321b4e7912d646dd51343e5

    • SSDEEP

      96:Y8OQCtGcR3Bpbp2byj3t50sTbPRMk5fPzxtNAZKzNt:jCtGcR3Byy3nzeklN6s

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks