Clicky

Pages

Thursday, September 12, 2024

2024-09-19 X-WORM RAT (Phishing) Samples

2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r


More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.

  • Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
  • The downloaded .zip file contained a shortcut file (.lnk).
  • This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
  • The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
  • The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
  • MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
  • The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
  • XWorm Version: The analyzed version of XWorm was 5.6.

Download
File Information
    ├── 1893afc228afedb18b743176cbd3f0e4adb31fee7982252a4dc6180a6fb83451 ZBWWHQNZII.exe 
    ├── ec7351c49098d55c332f9c5b0b4c51ffe804dd5780fc954006efcf2aeef91b7f HPFQJGRKIS.exe 
    ├── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891.Itinerary.doc.zip.exe 
    └── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891 ZBWWHQNZII.exe 
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

No comments:

Post a Comment