General

  • Target

    NET.exe

  • Size

    5.9MB

  • Sample

    240329-b9ngmaed71

  • MD5

    334b84a0d53a75c0b254df1e9fda5d89

  • SHA1

    cddcb55bc44607864145acd4a80d7ef2b6e3892a

  • SHA256

    6f1c1405ca37e3fece451132b8b2f65164fd67c5dc3005588f7850fba0b07cea

  • SHA512

    2f4728a75661823333d4b6d6621c2c99566f4dd4dd00acf318b30b278b38b5437debb1386972d0f8927e8094c7f3139a7304a9eeead787fa619ee0a383a142e8

  • SSDEEP

    98304:AMtj/BJbGYE+HNbBeA6Na/9rXSFZH9NBAT/xQhPJi4T8UmSh0rqggkX:b/DJeGhX8a/xGxi4gUmSh0mgj

Malware Config

Extracted

Family

xworm

C2

94.6.233.124:1707

Attributes
  • Install_directory

    %Temp%

  • install_file

    GG.exe

Targets

    • Target

      NET.exe

    • Size

      5.9MB

    • MD5

      334b84a0d53a75c0b254df1e9fda5d89

    • SHA1

      cddcb55bc44607864145acd4a80d7ef2b6e3892a

    • SHA256

      6f1c1405ca37e3fece451132b8b2f65164fd67c5dc3005588f7850fba0b07cea

    • SHA512

      2f4728a75661823333d4b6d6621c2c99566f4dd4dd00acf318b30b278b38b5437debb1386972d0f8927e8094c7f3139a7304a9eeead787fa619ee0a383a142e8

    • SSDEEP

      98304:AMtj/BJbGYE+HNbBeA6Na/9rXSFZH9NBAT/xQhPJi4T8UmSh0rqggkX:b/DJeGhX8a/xGxi4gUmSh0mgj

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks