General

  • Target

    1d562eaa3e33451a40f60c976c6f4bc0.bin

  • Size

    626KB

  • Sample

    240328-bd8spacc9w

  • MD5

    5d6b50358d5582e8bfd16db6293b49d4

  • SHA1

    115585eb24ce85cbc96186e96d83e2af7534f9ef

  • SHA256

    facf6255e4cef4e5757529e30af248dc78594b292a4753d4216b02df4be4a7ac

  • SHA512

    4081693f8dba663c86b864ce78f8f36abe1813e3556360fcb1271c047335bb12b96c7a98d3c8252a0938a1f78f731146f65228fdcf2258bb3e167ec97e4d2651

  • SSDEEP

    12288:U974z7VcdHbz5Ar0jRSHjAMt+NWzqc3m6QW0cLXcLPZwwn9u+PoEVFkF7ngDPT:gYZMz6ojRSHjh+U++QeSJ9Zg1F7nCPT

Score
10/10

Malware Config

Extracted

Family

xworm

Version

3.0

C2

157.254.223.19:8081

Mutex

i0Yq2Adr82znjD2G

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057

aes.plain

Targets

    • Target

      dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614.exe

    • Size

      631KB

    • MD5

      1d562eaa3e33451a40f60c976c6f4bc0

    • SHA1

      de0f3e027e12162388ec953936857f06b71487ca

    • SHA256

      dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614

    • SHA512

      73901625a5f7a9fecd013d4675427d4bd2d623174e8c78a4c831d4ca76797312b67f75fb662f2bd091ddeb4dd3b20790a39eb237c9f57c4e6a2c88a8b0af042a

    • SSDEEP

      12288:uJz1yun32ZOxhr9d6G3R6dYw02suri2zUkhqCFl6oXK1CC+:aByM3b9oM6dl0NulFhqCWwW8

    Score
    10/10
    • Detect Xworm Payload

    • Detect ZGRat V1

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks