General

  • Target

    s.exe

  • Size

    769KB

  • Sample

    231018-skr7ysgh22

  • MD5

    d556d1a3b5eb0438b0b865b644222f3c

  • SHA1

    4d09754186566dbb05aa4abcf3a3af2dbabdfa08

  • SHA256

    43beca96dce7467f6c9b9aadb881811bb105cca8336c2c52a9ebbf2f944b07f8

  • SHA512

    9aa1b7a01982b1cf136db08e0b2e796954e28c2a3ecf64300041b9031dfbf6e7406af7f84a0bcdf13fc3e6fd4afd803426e7c0c8cb686d36169384cf96ffa384

  • SSDEEP

    12288:NZtRx3bXt3k20oFDhSVDH8sz3yYPhYUjDRlCaj+csveMMGkqCTOudrKS:B7t3JxhSVT8q3yOhQajHsxbkKS

Malware Config

Extracted

Family

xworm

Version

5.0

C2

juandice-60636.portmap.io:5000

Attributes
  • Install_directory

    %AppData%

  • install_file

    original.exe

  • telegram

    https://api.telegram.org/bot5611504908:AAFpsAphAhLPMq_kq8cWKLPJIpuCJ0Znw9Y/sendMessage?chat_id=5493226523

Targets

    • Target

      s.exe

    • Size

      769KB

    • MD5

      d556d1a3b5eb0438b0b865b644222f3c

    • SHA1

      4d09754186566dbb05aa4abcf3a3af2dbabdfa08

    • SHA256

      43beca96dce7467f6c9b9aadb881811bb105cca8336c2c52a9ebbf2f944b07f8

    • SHA512

      9aa1b7a01982b1cf136db08e0b2e796954e28c2a3ecf64300041b9031dfbf6e7406af7f84a0bcdf13fc3e6fd4afd803426e7c0c8cb686d36169384cf96ffa384

    • SSDEEP

      12288:NZtRx3bXt3k20oFDhSVDH8sz3yYPhYUjDRlCaj+csveMMGkqCTOudrKS:B7t3JxhSVT8q3yOhQajHsxbkKS

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks