General

  • Target

    16325521309.zip

  • Size

    326KB

  • Sample

    240402-jervkaba7t

  • MD5

    8b47e89cea5364c2653cc2046351a70d

  • SHA1

    cb2c05727eaa505175a7d453a87842a252899cb3

  • SHA256

    6174891a27c2107ba9183e3939eb53edc70fedcff0c73c9aa5f1c07cf984b298

  • SHA512

    325bce0904f15fb148adebd6c2224a012a3436fca67e9f160b4c93929099c3bd922415a9bce0ecb7feec5ebbbaa945bc658a71c14bf76d5199568cb24ed28b32

  • SSDEEP

    6144:8DkatCTgbugDAlupLpO9B9GqamvJk+ytN57OvYWuB+qaJbUHE8GdVk1XMdi/:2kWCTg602ufkT7Jo56Q4qIbyEVdVqXMa

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b

    • Size

      427KB

    • MD5

      884939ef6ce29bd82add03e94a61abb9

    • SHA1

      ae52176f4928a3bf19513bd95fc4251ba8db5d5a

    • SHA256

      9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b

    • SHA512

      268b662e74580e948ae73d5d3005e0b9fcfb90c72a0f391bab980c55af0573a1e1082eb5d8b0940f3255d14f8a42901365582b52d9f21032bad125b55b0ea86f

    • SSDEEP

      12288:iXQhmNReC7nFPfkhkyDW7AUz29BbOy9Md:ighY57nyNUzcAMM

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks