General

  • Target

    NA_7049513f0a55cdad1d145ba2c_JC.exe

  • Size

    2.1MB

  • Sample

    230725-r5b6ssdh2z

  • MD5

    57a38337a7bf9a0f40cc19b9106fb664

  • SHA1

    5c376c9e64137c175a1b3eb463d0a8d44557cfb2

  • SHA256

    7049513f0a55cdad1d145ba2c2f988ecf02767bd04b52cd443669e0776da997a

  • SHA512

    0f2015189b680ae2fecbf25ddd37a8d5ceea575187ee2ac672df7a5504afa44fb3b17e1cfc74f0c7ccf4c12fc9ffb2672ab3f7158ae8a65e2f5b925247c3ad1b

  • SSDEEP

    49152:TdmAznU4n9t2ELj18p4BDifoM83ig9Apl14yG9pn:TO49wi73fWchn

Malware Config

Extracted

Family

xworm

C2

stores-anytime.at.ply.gg:36673

Attributes
  • install_file

    USB.exe

Targets

    • Target

      NA_7049513f0a55cdad1d145ba2c_JC.exe

    • Size

      2.1MB

    • MD5

      57a38337a7bf9a0f40cc19b9106fb664

    • SHA1

      5c376c9e64137c175a1b3eb463d0a8d44557cfb2

    • SHA256

      7049513f0a55cdad1d145ba2c2f988ecf02767bd04b52cd443669e0776da997a

    • SHA512

      0f2015189b680ae2fecbf25ddd37a8d5ceea575187ee2ac672df7a5504afa44fb3b17e1cfc74f0c7ccf4c12fc9ffb2672ab3f7158ae8a65e2f5b925247c3ad1b

    • SSDEEP

      49152:TdmAznU4n9t2ELj18p4BDifoM83ig9Apl14yG9pn:TO49wi73fWchn

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks