General

  • Target

    4923f14138a892567a3a3a2bac19fc62.bin

  • Size

    5.0MB

  • Sample

    240329-b9tnmsed81

  • MD5

    4923f14138a892567a3a3a2bac19fc62

  • SHA1

    8c2056e3edeaf919012c6503e5f8d64fd51355cc

  • SHA256

    eec5d83fcb62d0c9b813081ef2cd9debf729826c0c20f00df764b7dda642c397

  • SHA512

    08f0423731694e188164fe933f1abb621ad339745d7ed91a2a5f58b4bce6e79e595d6a4e06fac8a542e35bdf8c7c3cdd21da91fcb2eacd3caaa3803a3f64503d

  • SSDEEP

    98304:f7S4+d1cDBbEqN5IMwzjV1u4SXhV0uPf62gmFHQqZZ7:e4LN7Ozfu5z5PpFw29

Malware Config

Extracted

Family

xworm

Version

3.1

Targets

    • Target

      GhostClient.exe

    • Size

      5.0MB

    • MD5

      8b36003e47da77255a4bc631359a9845

    • SHA1

      659aa2943770ed49557fd32a28a310d7e3961b52

    • SHA256

      deadb78865ea2dc4347b895f19372c05482a14b0af6964e09b136eb73b431a1e

    • SHA512

      1d8fd97fc7985804e5a6c0a114e85b79ac41c93f723ab88ab177846febe30838c71d531731e2b3a5502c150b0c83966be3ec9d836013df4e2099172163f2d9fc

    • SSDEEP

      98304:ceUB6PiuZog3w97BI3lUKOPTu3d4BQ9455HEM/pBvOkSmK5ooAvNw82og6:GB6lTlUBq3eBf/plOk9Katvv2

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks