Overview

overview

10

Static

static

3

WinRar.rar.exe

windows7-x64

10

WinRar.rar.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    WinRar.rar.exe

  • Size

    142KB

  • Sample

    230520-stfwaaff6v

  • MD5

    7e3cf425865de93ba8f2d78e6c30b4bd

  • SHA1

    39e53d94cde85716514a2c7ed281b7ca5c249e71

  • SHA256

    082e7f071c4ab06b59064a175028075cbcfb34c8ef2dd082d6667e6d14c8d2cb

  • SHA512

    369f4aba3fd9478209ddcdce476df6cc2888634354ff3768a463d12fc7227b2204d2ebc30dc69f466af7f84ed3a0e3da0a26404f55fc275e685748e428cea0b6

  • SSDEEP

    3072:ON75/tddxPZRxU9o+72Q+O9mLs49BeBuU2rfnGGrlzvO8Ul/lV/1t4:i9xU9V7qO9mLlBeBGGGJzm8Ul/lx

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

awgaegsrgcs.duckdns.org:58554

Attributes
  • install_file

    USB.exe

Targets

    • Target

      WinRar.rar.exe

    • Size

      142KB

    • MD5

      7e3cf425865de93ba8f2d78e6c30b4bd

    • SHA1

      39e53d94cde85716514a2c7ed281b7ca5c249e71

    • SHA256

      082e7f071c4ab06b59064a175028075cbcfb34c8ef2dd082d6667e6d14c8d2cb

    • SHA512

      369f4aba3fd9478209ddcdce476df6cc2888634354ff3768a463d12fc7227b2204d2ebc30dc69f466af7f84ed3a0e3da0a26404f55fc275e685748e428cea0b6

    • SSDEEP

      3072:ON75/tddxPZRxU9o+72Q+O9mLs49BeBuU2rfnGGrlzvO8Ul/lV/1t4:i9xU9V7qO9mLlBeBGGGJzm8Ul/lx

    Score
    10/10
    xwormrattrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks