General

  • Target

    Menu_Injecter.vbs

  • Size

    55KB

  • Sample

    240328-cvbpysda9v

  • MD5

    870aa202d351082cff00a15f66a7f97a

  • SHA1

    a1a38e4b2a6c8fc12b2b9d25b28f61f66fce56d0

  • SHA256

    f22f608b3f9ddfa9083fa09bc0cc8ea3e527ad6541a375653861d243c87f29a3

  • SHA512

    ee9216d358e9a00964062d172b25cd0455928f6e25242e124d19dc9f7f53b4ed0ac1ea59598c8e356cd4f2a4fcd8918ecfea858d8334a55853947b9ce5d2a79a

  • SSDEEP

    1536:zax7gR/f8g0+4M3nAXguly7TGnx2Wy0Oz2+VUrDClZ:ex0f8gt4MUaT4q0Oz2+Vl

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ujtjGruX910oDXJg

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      Menu_Injecter.vbs

    • Size

      55KB

    • MD5

      870aa202d351082cff00a15f66a7f97a

    • SHA1

      a1a38e4b2a6c8fc12b2b9d25b28f61f66fce56d0

    • SHA256

      f22f608b3f9ddfa9083fa09bc0cc8ea3e527ad6541a375653861d243c87f29a3

    • SHA512

      ee9216d358e9a00964062d172b25cd0455928f6e25242e124d19dc9f7f53b4ed0ac1ea59598c8e356cd4f2a4fcd8918ecfea858d8334a55853947b9ce5d2a79a

    • SSDEEP

      1536:zax7gR/f8g0+4M3nAXguly7TGnx2Wy0Oz2+VUrDClZ:ex0f8gt4MUaT4q0Oz2+Vl

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks