General

  • Target

    Builder.bat

  • Size

    40KB

  • Sample

    250529-n3g3gs1px5

  • MD5

    0a5c49d4db2cc1905113ad4761af0729

  • SHA1

    4fb80e84a55f3cfc6ef06333e9e0fb2a8379d419

  • SHA256

    067366759f9b33981eb40fe708af17d70ecd8fd0e426b032e8b1e01454420214

  • SHA512

    3e39d9171b56b7fa6fd44d34b53dcf5ca5d5a9c35bb68cbc7eb8d5d4e5f6abb8a9aaade68e88b519f2109f122caa8f69246a96b7e111feac0df7372ae1aebb87

  • SSDEEP

    768:nPnYRP6wAKnchex3qenmnZwBfEkifeFG9wfOuhCjru:nvYRPFdxaQ8kimFG9wfOu4G

Malware Config

Extracted

Family

xworm

Mutex

fqLaHappNtycmPlr

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/uk5hV6uc

aes.plain

Targets

    • Target

      Builder.bat

    • Size

      40KB

    • MD5

      0a5c49d4db2cc1905113ad4761af0729

    • SHA1

      4fb80e84a55f3cfc6ef06333e9e0fb2a8379d419

    • SHA256

      067366759f9b33981eb40fe708af17d70ecd8fd0e426b032e8b1e01454420214

    • SHA512

      3e39d9171b56b7fa6fd44d34b53dcf5ca5d5a9c35bb68cbc7eb8d5d4e5f6abb8a9aaade68e88b519f2109f122caa8f69246a96b7e111feac0df7372ae1aebb87

    • SSDEEP

      768:nPnYRP6wAKnchex3qenmnZwBfEkifeFG9wfOuhCjru:nvYRPFdxaQ8kimFG9wfOu4G

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks