Overview

overview

10

Static

static

10

4b9d11ad0a...22.exe

windows7-x64

10

4b9d11ad0a...22.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b9d11ad0a32fd2d76d4d8e9256f13df37b7628df9eb50b21dd11016d0a4ca22.zip

  • Size

    39KB

  • Sample

    230321-r51jdsde9z

  • MD5

    16bd4e9fe11e77ef81b87d735494fb77

  • SHA1

    ddb2d1ec74a17feaaef4b4a98ae351f8e1ac9d58

  • SHA256

    9a05cdb4522f87a43ecbbd7cf4de4e6ee9d84b114c7d3430ac86891df6836eda

  • SHA512

    8efdcc67f785aaedd3136b24f65549fd722045845ec00de747e06c917fa618baef47cf8875148b0fe911876c9ec62934d63f4f2b0315c898d1653e7fde1969f4

  • SSDEEP

    768:t+favPdhkSjg0ZcP8IsELo1NaxeTndIIKYCOVwuNbnVTG6a714PmZj:t95g0DIuGxeTndIvYCiXViJ1NZj

Score
10/10
xwormpersistencerattrojan

Malware Config

Targets

    • Target

      4b9d11ad0a32fd2d76d4d8e9256f13df37b7628df9eb50b21dd11016d0a4ca22.exe

    • Size

      66KB

    • MD5

      8682c4dc2e3ae57079e9ada0943b813d

    • SHA1

      d855ac963756f24d67297c1c9b94b86d6e5350ba

    • SHA256

      4b9d11ad0a32fd2d76d4d8e9256f13df37b7628df9eb50b21dd11016d0a4ca22

    • SHA512

      a7eb2a5db32d0b96e0bc761454bf9bc40bde24ff8a6eab52c799d6438c2e64d1b0fb914a75b34256e488f76b9ec7423eea82537a772f599b8e02e8199c8e5ace

    • SSDEEP

      1536:Yd077VI2kTksimD7A9sb0sBmaOu8EJSRK:Z9kT5imD7Osb0umaOuxGK

    Score
    10/10
    xwormpersistencerattrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks