2024-09-19 X-WORM RAT (Phishing) Samples
2024-9-13 08:33:0 Author: contagiodump.blogspot.com(查看原文) 阅读量:13 收藏

2024-09-19 X-WORM RAT (Phishing) Samples

2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r

More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.

  • Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
  • The downloaded .zip file contained a shortcut file (.lnk).
  • This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
  • The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
  • The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
  • MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
  • The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
  • XWorm Version: The analyzed version of XWorm was 5.6.

File Information

    ├── 1893afc228afedb18b743176cbd3f0e4adb31fee7982252a4dc6180a6fb83451 ZBWWHQNZII.exe 

    ├── ec7351c49098d55c332f9c5b0b4c51ffe804dd5780fc954006efcf2aeef91b7f HPFQJGRKIS.exe 

    ├── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891.Itinerary.doc.zip.exe 

    └── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891 ZBWWHQNZII.exe 

    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.


文章来源: https://contagiodump.blogspot.com/2024/09/2024-09-19-x-worm-phishing-samples.html
如有侵权请联系:admin#unsafe.sh