Overview

overview

10

Static

static

5

PO2708392024.exe

windows7-x64

10

PO2708392024.exe

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    PO2708392024.tar.gz

  • Size

    684KB

  • Sample

    240124-r75wwschhm

  • MD5

    be80012d8d9670abdd37a8fc7b4ce5d6

  • SHA1

    04b153189accd547541ac0289cc5abf8ebab0cdf

  • SHA256

    854c488587898415edec266f09e3b2c0c98ab44e0b4e8fc262f76e7f4787c904

  • SHA512

    d498bc2ed554e48724c37fd8eb300ff3d9894a2599738c3f8b92dc4ba5d3d30de2440adda2472424d4697a042507691704e4ff8d0f727a20fe08c4ee720b7a64

  • SSDEEP

    12288:TPnGvxV8Y4U2NqaOZrf39et+hJnh+E+nw9/RPZ4kacR2BmqvCDP6+Co3WcehEZzL:yxSY4rqtJvQtgnxgwZlacRYmqvcPPYhQ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

193.161.193.99:24049

Mutex

Fhc0AfR5IWfrpo3r

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      PO2708392024.exe

    • Size

      1.2MB

    • MD5

      2fa5b7276859ed345c32dbc5fefb95c8

    • SHA1

      5b9d8f2e453c2ecfc586029285aabfc729aab75a

    • SHA256

      b4c90bc7e8cd41814c1e3ce937b7d2db7d1593aa6d0c1bba560cba2418a8cca9

    • SHA512

      6758cbd0a325d6a0efc90788e02fc99a0fc95783134e1640f5d494d145672afceb70f62d1d490d5fde264cb510c62e423f3987abffc87edc4ab19732a42c42d9

    • SSDEEP

      24576:YAHnh+eWsN3skA4RV1Hom2KXMmHa66baOr0mqxEPLe92sZKt5:fh+ZkldoPK8Ya66b30/xWegsm

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks