Overview

overview

10

Static

static

10

PATHNK.exe

windows7-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    PATHNK.exe

  • Size

    67KB

  • Sample

    240319-mwyk8aaa98

  • MD5

    c6317364283770fdb6f84b2de5bf8ac4

  • SHA1

    26fb5faf27dae058e80e3cdcaefb5df1c99fd1ff

  • SHA256

    34cf8c1738cb354ab3f71cccd889bba6e46ad29d71a506cc12d1157d5f1679a2

  • SHA512

    b4374d0c5f362e1b4dfe72a21d739ba95edc16c54c39065bb9d3dee8ff86805a6f1ebd2ff08d227ee2dc887d810956bf386bc1f2c832f611b9923e1972f5adf8

  • SSDEEP

    1536:KEkzw1DFyZeGX6wPbTh4wCTkb5TSlcjx6Nbi6y2VORiK:7kwx4eGX6wPbHb5SlE6NbXORiK

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

18.ip.gl.ply.gg:60865

Attributes
  • Install_directory

    %AppData%

  • install_file

    NerestPCchams.exe

Targets

    • Target

      PATHNK.exe

    • Size

      67KB

    • MD5

      c6317364283770fdb6f84b2de5bf8ac4

    • SHA1

      26fb5faf27dae058e80e3cdcaefb5df1c99fd1ff

    • SHA256

      34cf8c1738cb354ab3f71cccd889bba6e46ad29d71a506cc12d1157d5f1679a2

    • SHA512

      b4374d0c5f362e1b4dfe72a21d739ba95edc16c54c39065bb9d3dee8ff86805a6f1ebd2ff08d227ee2dc887d810956bf386bc1f2c832f611b9923e1972f5adf8

    • SSDEEP

      1536:KEkzw1DFyZeGX6wPbTh4wCTkb5TSlcjx6Nbi6y2VORiK:7kwx4eGX6wPbHb5SlE6NbXORiK

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks