Overview

overview

10

Static

static

3

Loader_UEFI.exe

windows10-1703-x64

10

Loader_UEFI.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader_UEFI.exe

  • Size

    679KB

  • Sample

    231006-f4x64ahc2w

  • MD5

    c917837258e4556d08d1007a901e10e2

  • SHA1

    033d5a327325f01252ae0ab387dddada6974a873

  • SHA256

    830998a199250c7183288618febb35fd08a7848d3aae1cddb89c48d8be180b1a

  • SHA512

    022faef413e99ae4175635e1eda70059fa05fd365ee71930fab27d98e5e376360ab27709ccdd19c8a9097055ae2a7e46381063a39813670d645e9b79be25d4f5

  • SSDEEP

    12288:KqI9R0yf99LzhWjkRCFdNT9InralGCZ3ZvI/eLjX9qSs+B32O/ocOJMyPJGTlOzr:KHR0yfrzhWCqT4OQCxZg6jNLnm0oBiy9

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

Graxe239-61522.portmap.host:61522

Attributes
  • install_file

    RuntimeBroker.exe

Targets

    • Target

      Loader_UEFI.exe

    • Size

      679KB

    • MD5

      c917837258e4556d08d1007a901e10e2

    • SHA1

      033d5a327325f01252ae0ab387dddada6974a873

    • SHA256

      830998a199250c7183288618febb35fd08a7848d3aae1cddb89c48d8be180b1a

    • SHA512

      022faef413e99ae4175635e1eda70059fa05fd365ee71930fab27d98e5e376360ab27709ccdd19c8a9097055ae2a7e46381063a39813670d645e9b79be25d4f5

    • SSDEEP

      12288:KqI9R0yf99LzhWjkRCFdNT9InralGCZ3ZvI/eLjX9qSs+B32O/ocOJMyPJGTlOzr:KHR0yfrzhWCqT4OQCxZg6jNLnm0oBiy9

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks