General

  • Target

    884939ef6ce29bd82add03e94a61abb9.exe

  • Size

    427KB

  • Sample

    240402-kjp27sca7z

  • MD5

    884939ef6ce29bd82add03e94a61abb9

  • SHA1

    ae52176f4928a3bf19513bd95fc4251ba8db5d5a

  • SHA256

    9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b

  • SHA512

    268b662e74580e948ae73d5d3005e0b9fcfb90c72a0f391bab980c55af0573a1e1082eb5d8b0940f3255d14f8a42901365582b52d9f21032bad125b55b0ea86f

  • SSDEEP

    12288:iXQhmNReC7nFPfkhkyDW7AUz29BbOy9Md:ighY57nyNUzcAMM

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      884939ef6ce29bd82add03e94a61abb9.exe

    • Size

      427KB

    • MD5

      884939ef6ce29bd82add03e94a61abb9

    • SHA1

      ae52176f4928a3bf19513bd95fc4251ba8db5d5a

    • SHA256

      9e5865fd21de52ffdfed7301c0542693d1a5a066c49dfb197ddce0acab589b7b

    • SHA512

      268b662e74580e948ae73d5d3005e0b9fcfb90c72a0f391bab980c55af0573a1e1082eb5d8b0940f3255d14f8a42901365582b52d9f21032bad125b55b0ea86f

    • SSDEEP

      12288:iXQhmNReC7nFPfkhkyDW7AUz29BbOy9Md:ighY57nyNUzcAMM

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks