General

  • Target

    XWorm V3.1.exe

  • Size

    7.0MB

  • Sample

    230318-ssv9kseg6t

  • MD5

    e0b3a2c3df9a18ad71e1293a3195cadf

  • SHA1

    f48a0d2c47f1db77457e894d4e72bb3ddd6b0691

  • SHA256

    7786135b3cd7225c0fd83b1fc05efb702ae015d124326dfb4947d4e2addaab69

  • SHA512

    b2c091d50902ed44f7de80ec84bff8894bee0fce5ac0e53536048ae8d6cfc0c719771dab7ae5f585cd608fe86f50d8c25219faa7daef7720d0f2b557a9af972e

  • SSDEEP

    196608:Nn1Q6B/XKUDz9NoUXJzUWi7MYjBVvo5/km:N1FlaU/9NZXJZinjB9oxj

Score
10/10

Malware Config

Extracted

Family

gozi

Targets

    • Target

      XWorm V3.1.exe

    • Size

      7.0MB

    • MD5

      e0b3a2c3df9a18ad71e1293a3195cadf

    • SHA1

      f48a0d2c47f1db77457e894d4e72bb3ddd6b0691

    • SHA256

      7786135b3cd7225c0fd83b1fc05efb702ae015d124326dfb4947d4e2addaab69

    • SHA512

      b2c091d50902ed44f7de80ec84bff8894bee0fce5ac0e53536048ae8d6cfc0c719771dab7ae5f585cd608fe86f50d8c25219faa7daef7720d0f2b557a9af972e

    • SSDEEP

      196608:Nn1Q6B/XKUDz9NoUXJzUWi7MYjBVvo5/km:N1FlaU/9NZXJZinjB9oxj

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks