Overview

overview

10

Static

static

7

WinRAR.exe

windows7-x64

10

WinRAR.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    WinRAR.exe

  • Size

    1.6MB

  • Sample

    230627-b1tmaade9t

  • MD5

    f52191191ac8950f15e38483ca8927af

  • SHA1

    d051facee1918efca8df43fd8738d02b77c0bf57

  • SHA256

    fedc35a1b93e0e18badb7900b6e4722a7656a65a75036e6a2e5010a393d648d7

  • SHA512

    c7beda7c80423457dabf7da89dfc59a413a5e3dba246819c6019300f1aa69ee18fe50758958ff43d3fc0e51c5acaff0bb03e3cc4ff57a89241b23075196be36f

  • SSDEEP

    24576:3uWSIdFbt6tQwe4gU2bAw0zR9vAfVNZ+ycVlCS0Of3m2Bd3X3N:31mXr2stzRRA3Z+jbC5Of3zH3N

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

instruments-specials.at.ply.gg:37660

Mutex

TnTeKc6d1P5N3Ui2

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      WinRAR.exe

    • Size

      1.6MB

    • MD5

      f52191191ac8950f15e38483ca8927af

    • SHA1

      d051facee1918efca8df43fd8738d02b77c0bf57

    • SHA256

      fedc35a1b93e0e18badb7900b6e4722a7656a65a75036e6a2e5010a393d648d7

    • SHA512

      c7beda7c80423457dabf7da89dfc59a413a5e3dba246819c6019300f1aa69ee18fe50758958ff43d3fc0e51c5acaff0bb03e3cc4ff57a89241b23075196be36f

    • SSDEEP

      24576:3uWSIdFbt6tQwe4gU2bAw0zR9vAfVNZ+ycVlCS0Of3m2Bd3X3N:31mXr2stzRRA3Z+jbC5Of3zH3N

    Score
    10/10
    xwormpersistencerattrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks