General

  • Target

    Kfboa.exe

  • Size

    6KB

  • Sample

    250324-fpxa9axydv

  • MD5

    ceba7570864bdd6c2dfe5e11fa5625ea

  • SHA1

    38033ecf6350e2e7dc49914b64886818ee18e6c8

  • SHA256

    b5d47c5e81250db93f2d48269950223bce5495e24bb4fc08c00e57a49810a76b

  • SHA512

    7728f905c0606e437a5f3be25682f69aec207f0269ff5715978810029de9907872153f6a944b9634a3f0928e0d7b1878541d906cb29a50effc7edc5f3e7ff4c6

  • SSDEEP

    96:s0aB2VVxmwnavYFyj3tuDeFHxtNxC4zNt:KB2nxdXFy37VxYa

Malware Config

Extracted

Family

xworm

Version

5.0

C2

bin12.ydns.eu:4050

bin14.ydns.eu:4050

kingsbkup1.ydns.eu:4050

smfcs1.ydns.eu:4050

smfcs3.ydns.eu:4050

Mutex

eFgRwYcigKCR8e0p

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Kfboa.exe

    • Size

      6KB

    • MD5

      ceba7570864bdd6c2dfe5e11fa5625ea

    • SHA1

      38033ecf6350e2e7dc49914b64886818ee18e6c8

    • SHA256

      b5d47c5e81250db93f2d48269950223bce5495e24bb4fc08c00e57a49810a76b

    • SHA512

      7728f905c0606e437a5f3be25682f69aec207f0269ff5715978810029de9907872153f6a944b9634a3f0928e0d7b1878541d906cb29a50effc7edc5f3e7ff4c6

    • SSDEEP

      96:s0aB2VVxmwnavYFyj3tuDeFHxtNxC4zNt:KB2nxdXFy37VxYa

    • Detect Xworm Payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks