General

  • Target

    NursultanSetup.exe

  • Size

    59KB

  • Sample

    240125-rgmmmahbc5

  • MD5

    68152587ca46bf9974ad4e5a0ac77b47

  • SHA1

    5435ae05b1cf0eac83d5635e20a52214432260ef

  • SHA256

    972adedc69f159942f3fab6528d80e428066fa8ce297b0be6d4af988185711dc

  • SHA512

    7aeb7e4c6c94357061e05cac1530cf922191655679e82c36b7f06c4106b966c1bdd18e86035437c87953fa3c4adc60b021b3bd5859df3b62f9acf12db563b520

  • SSDEEP

    1536:Mpfw0K7+wQS4f47Rb0jbtViTqLQr6npOcoqKGQG6:Mpfi7+wQSU+Rb0jbt6MOczTf6

Score
10/10

Malware Config

Extracted

Family

xworm

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/mXwT6uNv

Targets

    • Target

      NursultanSetup.exe

    • Size

      59KB

    • MD5

      68152587ca46bf9974ad4e5a0ac77b47

    • SHA1

      5435ae05b1cf0eac83d5635e20a52214432260ef

    • SHA256

      972adedc69f159942f3fab6528d80e428066fa8ce297b0be6d4af988185711dc

    • SHA512

      7aeb7e4c6c94357061e05cac1530cf922191655679e82c36b7f06c4106b966c1bdd18e86035437c87953fa3c4adc60b021b3bd5859df3b62f9acf12db563b520

    • SSDEEP

      1536:Mpfw0K7+wQS4f47Rb0jbtViTqLQr6npOcoqKGQG6:Mpfi7+wQSU+Rb0jbt6MOczTf6

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks