Overview

overview

10

Static

static

10

hello.exe

windows7-x64

10

hello.exe

windows10-2004-x64

10

User tags

Assigned on submission by the user, not by sandbox detections.

Threatview.io Proactive Hunter

Sharing

Copy URL Twitter E-mail

General

  • Target

    hello.exe

  • Size

    133KB

  • Sample

    230709-pmeg4adf8s

  • MD5

    27d43df9fb6228ab9ec3482a528f1da6

  • SHA1

    23b938e1caf2507ae797805f27ee66357ee0c53a

  • SHA256

    d9048e7e5185fca63822a536674effaf47f434fd8bcd74018e5da09b5a7c1469

  • SHA512

    30fb0f42d85b92102ac83dde0cadb0cdf1f19f2bafbb6174ce880aaf9c89a6dac201a3a461253543cac833fb12c5b10277bcf0c492eb2a0070e033b61ec632cc

  • SSDEEP

    1536:u7K22GZXoCVg0vfiCTzbec/31ENYw649ApO4uMET1qxj751cNz0UCdkV/L7t:u7Kh+4CO0vfiC/beGCNYi9ApOZUH5aJ

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

needforrat.hopto.org:7000

Attributes
  • install_file

    USB.exe

Targets

    • Target

      hello.exe

    • Size

      133KB

    • MD5

      27d43df9fb6228ab9ec3482a528f1da6

    • SHA1

      23b938e1caf2507ae797805f27ee66357ee0c53a

    • SHA256

      d9048e7e5185fca63822a536674effaf47f434fd8bcd74018e5da09b5a7c1469

    • SHA512

      30fb0f42d85b92102ac83dde0cadb0cdf1f19f2bafbb6174ce880aaf9c89a6dac201a3a461253543cac833fb12c5b10277bcf0c492eb2a0070e033b61ec632cc

    • SSDEEP

      1536:u7K22GZXoCVg0vfiCTzbec/31ENYw649ApO4uMET1qxj751cNz0UCdkV/L7t:u7Kh+4CO0vfiC/beGCNYi9ApOZUH5aJ

    Score
    10/10
    xwormpersistencerattrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks