General

  • Target

    6.cmd

  • Size

    280KB

  • Sample

    240329-dekhlafh7y

  • MD5

    6993803c1d026adb6de3e6ea61476edc

  • SHA1

    bcf38ca1ef977d7f33e707407144160c65af2e7c

  • SHA256

    6679c29c3042a2ef6fad6c60efba99570aa0d8ab30e6af2465b9e4011784eab4

  • SHA512

    77f4101f3bfc687edbbd69dd0698364abbdb0f4cf3583a2037c06086962ce3f3c00e801e7f4e2f63df0620b1cb2b8f72c52c6d29a4f8902b36ebddd7aa954bf4

  • SSDEEP

    6144:FlP1hU0TBGAwgoEC7W0OwTdjdmgC6zKX97:7thU2wAB4JBDnzA7

Score
10/10

Malware Config

Extracted

Family

xworm

C2

atomic.ruspyc.top:9049

Mutex

lC0nl652JtSCtkcd

aes.plain

Targets

    • Target

      6.cmd

    • Size

      280KB

    • MD5

      6993803c1d026adb6de3e6ea61476edc

    • SHA1

      bcf38ca1ef977d7f33e707407144160c65af2e7c

    • SHA256

      6679c29c3042a2ef6fad6c60efba99570aa0d8ab30e6af2465b9e4011784eab4

    • SHA512

      77f4101f3bfc687edbbd69dd0698364abbdb0f4cf3583a2037c06086962ce3f3c00e801e7f4e2f63df0620b1cb2b8f72c52c6d29a4f8902b36ebddd7aa954bf4

    • SSDEEP

      6144:FlP1hU0TBGAwgoEC7W0OwTdjdmgC6zKX97:7thU2wAB4JBDnzA7

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks