General

  • Target

    mkpub_GRU-6LDC.rar

  • Size

    120KB

  • Sample

    231003-qjl87sah4v

  • MD5

    d6ca1b57172b0bfc2f3f810f3d18ce4a

  • SHA1

    4fc34c465b3bbc4c743f1553ea5935a60da90a8c

  • SHA256

    389bcd4e3c1447f8e0704c0bd0590ca7d38a00a7cb8088e4cb0f43dc86da4233

  • SHA512

    34517c34119e044342b2051d2e956925b1595c1f96347a1ca08aa216de578daae4b178a2101a92471789fb97cfa9befaeba1f9ecfc2a48336e2eab90122c0d7a

  • SSDEEP

    3072:mU/VPOqOYQzg72VXCh6yVxjEpdG/jDN9lxSMWyX7p9xTS:mKOdXgSVShVViG/XjSEJS

Malware Config

Extracted

Family

xworm

Version

5.0

C2

brightle.ddns.net:7000

Mutex

jaSa0S2QQOuGarf8

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      GRU-6LDC.exe

    • Size

      315KB

    • MD5

      754a0ca3356a8f76909cd9c5c41234d5

    • SHA1

      c3d9d52316b071f0db5ca9cd6999bfc06141795b

    • SHA256

      740253f7075ea5e09021a78ff868d9c90931210aa12e2da91b60f1ea7380f759

    • SHA512

      d1fdc37b367dd2dba4cb75021299c12c22064b40d48ba6250568727b565e73c7bbe03691bb0b288dc0b588679d6d9408bf7ff7bb60a69b26e41cf69c4c78fbe5

    • SSDEEP

      6144:K3B4ZXBhCirEL5BH46Zk16P9R8G1jqJ6TVKSK:K3BghvrELPH46ZAKjoQES

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks