Overview

overview

10

Static

static

1

2716cfd0d3...7a.exe

windows7-x64

10

2716cfd0d3...7a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    049b7a8f84d8c8e7932bfc6e97362c30.bin

  • Size

    1.2MB

  • Sample

    230203-j1tahsda29

  • MD5

    38b9b253f99262a8e81f6780f922bf80

  • SHA1

    4f81c204712cbdb9678e37879574494919d072ca

  • SHA256

    a6b8256d8bb6baae903fa5a55cfed22b55f1925f0f11c23f58d492d84073dd58

  • SHA512

    b56d12f241bd9783b4220ac3d38be190fc9e2ede996c36614a0d0debd8e5cb1097e693177c96935bc7a9e8ca3c61863546256b731d435b54cca8e2292a4cb7bf

  • SSDEEP

    24576:F14QrXRGccT6hFEoNYp5bnKRoXvyeR8exkxM0SErbBlM7xG0oGsllPy:F1bRG9e/EKazK6XvXxkjXAtG08Py

Score
10/10
xwormmicrosoftpersistencephishingrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

TU53fgvTBLouBDSy

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      2716cfd0d3479d42e903bd0c835b91fd5918a02fb63bdc1b52f73921bf4b307a.exe

    • Size

      1.6MB

    • MD5

      049b7a8f84d8c8e7932bfc6e97362c30

    • SHA1

      f3d85b5214062a92ecacd0a65e02593e44ab188a

    • SHA256

      2716cfd0d3479d42e903bd0c835b91fd5918a02fb63bdc1b52f73921bf4b307a

    • SHA512

      eb0c58f723a9c6a2d3d29b10f89538845cfbdaa2d4579de4238a0753050154dacc7832cc20f858b757fd6a2e491b5f775262f670309b7691437910c59a106924

    • SSDEEP

      24576:bYO8wJFOtz7uuqEP+1MoIpgpgi2esTTPfQHSvMYdihbjct3sP8ZS3pdWMhLaw:koqAI4sTTP4smZ58wl

    Score
    10/10
    xwormrattrojanmicrosoftpersistencephishing

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks