General

  • Target

    XWormContent.exe

  • Size

    10KB

  • Sample

    230322-bjc8zaea63

  • MD5

    7d4e7449b76c34210100ea88c163c7fb

  • SHA1

    ef679b47eb42f162355e8772ceb25712dc7ec75e

  • SHA256

    4fc4ae98d231e2bf0b8d4ad5463d9d4f673c1d5d63dc98838cf14a61d64ce6e6

  • SHA512

    d0ef46b3e5622160e9f6ce5cac8f2b14a10bad8e2c1f91a7e1d9713fd6ed844cf74817ca050e1a2d95ee9cd24ec01c67b6e279acddc95449553effbb8354ec1e

  • SSDEEP

    192:qLH2ANdaLix1upSiP/VunlYJLLLTuzTVQLFjb5cqfM:qLH2ydaLiO3hPLTucTf

Malware Config

Targets

    • Target

      XWormContent.exe

    • Size

      10KB

    • MD5

      7d4e7449b76c34210100ea88c163c7fb

    • SHA1

      ef679b47eb42f162355e8772ceb25712dc7ec75e

    • SHA256

      4fc4ae98d231e2bf0b8d4ad5463d9d4f673c1d5d63dc98838cf14a61d64ce6e6

    • SHA512

      d0ef46b3e5622160e9f6ce5cac8f2b14a10bad8e2c1f91a7e1d9713fd6ed844cf74817ca050e1a2d95ee9cd24ec01c67b6e279acddc95449553effbb8354ec1e

    • SSDEEP

      192:qLH2ANdaLix1upSiP/VunlYJLLLTuzTVQLFjb5cqfM:qLH2ydaLiO3hPLTucTf

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks