General

  • Target

    Новая папка (5).rar

  • Size

    62.1MB

  • Sample

    240328-qwq3xsfd6y

  • MD5

    004b173de6591178ecc3a5d756d2b701

  • SHA1

    94128a7cefdc8ec3fa6a2c14dc95a83b9e0778fe

  • SHA256

    40a1f661d63099b9a3c64267509d231d02bfe0d4d93d964a1bf6d8d6d79140bf

  • SHA512

    a54b0899ec403dbf97795ddc05dce3b2cc6d435977d6f41eaf401c6b3196043fa5a528ab0d4a4a291c11cebd240689874534950569c9cb422ea2cbd2ec529571

  • SSDEEP

    1572864:P+KB5HVYivtxABADxKGnM5j22e/oIhD/0/t3kYINtr:P+K71NzABA1KG6jE/oH/t3Ytr

Malware Config

Extracted

Family

xworm

C2

16.ip.gl.ply.gg:52773

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77cvhost.exe

Targets

    • Target

      Новая папка (5).rar

    • Size

      62.1MB

    • MD5

      004b173de6591178ecc3a5d756d2b701

    • SHA1

      94128a7cefdc8ec3fa6a2c14dc95a83b9e0778fe

    • SHA256

      40a1f661d63099b9a3c64267509d231d02bfe0d4d93d964a1bf6d8d6d79140bf

    • SHA512

      a54b0899ec403dbf97795ddc05dce3b2cc6d435977d6f41eaf401c6b3196043fa5a528ab0d4a4a291c11cebd240689874534950569c9cb422ea2cbd2ec529571

    • SSDEEP

      1572864:P+KB5HVYivtxABADxKGnM5j22e/oIhD/0/t3kYINtr:P+K71NzABA1KG6jE/oH/t3Ytr

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks