Overview

overview

10

Static

static

3

Internal_I...er.exe

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Internal_Installer.exe

  • Size

    140.7MB

  • Sample

    240204-bckpgagbdp

  • MD5

    c2e31745e3839161e7dbd874062f2946

  • SHA1

    bd9d04177a5f5a906d7b73ecf271011178064708

  • SHA256

    30b429740ae782ad1ce0b0d9e569ab42ce1c9a43e358c490c6e539ca7bdbb40d

  • SHA512

    8e0909fb6c0cae985e35475c86d0d0209bbfce8e41350e40d305128acd5aef52fb5ab0c756bf5bbf370597dadfcfd8754a7210ec907bfd22cffa8dfe7d1050c9

  • SSDEEP

    1572864:V4GRQtQzKNAwsDi3fRusajRHgsP6pVm1Etb5/xISipohDtrbw6koLAYE3SWAPKos:+GaCK2wlZajCSvp0+AioCKs

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

3.125.102.39:18996

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Internal_Installer.exe

    • Size

      140.7MB

    • MD5

      c2e31745e3839161e7dbd874062f2946

    • SHA1

      bd9d04177a5f5a906d7b73ecf271011178064708

    • SHA256

      30b429740ae782ad1ce0b0d9e569ab42ce1c9a43e358c490c6e539ca7bdbb40d

    • SHA512

      8e0909fb6c0cae985e35475c86d0d0209bbfce8e41350e40d305128acd5aef52fb5ab0c756bf5bbf370597dadfcfd8754a7210ec907bfd22cffa8dfe7d1050c9

    • SSDEEP

      1572864:V4GRQtQzKNAwsDi3fRusajRHgsP6pVm1Etb5/xISipohDtrbw6koLAYE3SWAPKos:+GaCK2wlZajCSvp0+AioCKs

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks