General

  • Target

    .NET SDK 8.0.exe

  • Size

    5.9MB

  • Sample

    240329-a7kghsda61

  • MD5

    5ae0aff78c28b4fe6d8419f0ddac0684

  • SHA1

    91a50699efb06271f7533f55b1f84040830d8cbb

  • SHA256

    84d71ead3be18d57fc60241647a078b9bd4293ed8dc6e216094613d7b582c47f

  • SHA512

    8beb56cb092ab4df1d05f784b8191336d66dd865831ffb5aed7bfc0c8fe91bcddef2925abb5346946db280ae7fc31af073f62852fd8f96fc801ff2f674f05561

  • SSDEEP

    98304:TMtj/BJbGYE+HNbBeA6Na/9rXSFZH9NBAT/xQhPJi4T8UmSh0rqggk:8/DJeGhX8a/xGxi4gUmSh0mgj

Malware Config

Extracted

Family

xworm

C2

94.6.233.124:1707

Attributes
  • install_file

    USB.exe

Targets

    • Target

      .NET SDK 8.0.exe

    • Size

      5.9MB

    • MD5

      5ae0aff78c28b4fe6d8419f0ddac0684

    • SHA1

      91a50699efb06271f7533f55b1f84040830d8cbb

    • SHA256

      84d71ead3be18d57fc60241647a078b9bd4293ed8dc6e216094613d7b582c47f

    • SHA512

      8beb56cb092ab4df1d05f784b8191336d66dd865831ffb5aed7bfc0c8fe91bcddef2925abb5346946db280ae7fc31af073f62852fd8f96fc801ff2f674f05561

    • SSDEEP

      98304:TMtj/BJbGYE+HNbBeA6Na/9rXSFZH9NBAT/xQhPJi4T8UmSh0rqggk:8/DJeGhX8a/xGxi4gUmSh0mgj

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks