General

  • Target

    c7052af714acb8631274b069d8fb99547cd495dc15b5cf4e4bce28a2a7d6c404

  • Size

    222KB

  • Sample

    240329-blyyfseb94

  • MD5

    9cddcd100936e1c7430748a2ed983443

  • SHA1

    cd89db2358604243bd16a3ab917a5077282a167a

  • SHA256

    c7052af714acb8631274b069d8fb99547cd495dc15b5cf4e4bce28a2a7d6c404

  • SHA512

    975caa89aeaf097957d651dcb98917de14d9c214d22bd4930276411512d2bae85e45c73af775a138049fe06456623f64245b30c91c2c5f76d44600f781fffc37

  • SSDEEP

    6144:xfL+oq+hnjsVl3dRQTLU8iGm+YzoPnneAHVBconyf4:xfL5njsVlNuc8i+Ywnb1Bcoyf4

Malware Config

Extracted

Family

xworm

Version

5.0

C2

217.63.234.90:46789

Mutex

3bJtiYOLPFLaAVmg

Attributes
  • Install_directory

    %Temp%

  • install_file

    InstallerV3.0.5.exe

aes.plain

Targets

    • Target

      c7052af714acb8631274b069d8fb99547cd495dc15b5cf4e4bce28a2a7d6c404

    • Size

      222KB

    • MD5

      9cddcd100936e1c7430748a2ed983443

    • SHA1

      cd89db2358604243bd16a3ab917a5077282a167a

    • SHA256

      c7052af714acb8631274b069d8fb99547cd495dc15b5cf4e4bce28a2a7d6c404

    • SHA512

      975caa89aeaf097957d651dcb98917de14d9c214d22bd4930276411512d2bae85e45c73af775a138049fe06456623f64245b30c91c2c5f76d44600f781fffc37

    • SSDEEP

      6144:xfL+oq+hnjsVl3dRQTLU8iGm+YzoPnneAHVBconyf4:xfL5njsVlNuc8i+Ywnb1Bcoyf4

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      ⠨/start.vbs

    • Size

      231B

    • MD5

      abe1dd23ab4c11aae54f1898c780c0b5

    • SHA1

      bb2f974b3e0af2baa40920b475582bfd4fb28001

    • SHA256

      89054e19532a9a62ca3403a8899495bf6f06557ff886b475a04227eb8aba7b12

    • SHA512

      e9ec437a32301078ea69ce2f36dadab68315d5e56d94c4d579d3409ccbe0c9e00c3aed7baa0fa6d656fb8ed23213f4c01fb2d108c1a0ed11c58c76cd00f9a99d

    Score
    1/10
    • Target

      ⠨/temp.bat

    • Size

      139KB

    • MD5

      9d46c43b75900bcc4c40f984a7214c81

    • SHA1

      d66d65201eec3932614e3b4fc59895be3f7c49bf

    • SHA256

      c55e5b6cf9f597ab11b432d5a00b43747e4f8705133a721829e68c9397fb7335

    • SHA512

      48bea71e818ce60e2d379d373b2b22bb8ce1322cb82be15f8dc01679f0cd29ea19a481acef88763ae354d16f70fe9886cdc5c9fddfc714c010f4c752eb0300d5

    • SSDEEP

      3072:Yj7wK2UlCUjcwmgjOwsAzBFJ/NYqTH/EpCo40GdQr:Yj7q8OPmBfOjA0Gde

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks