General

  • Target

    xSpoofer-new.exe

  • Size

    7.0MB

  • Sample

    240402-kkwalsce65

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      xSpoofer-new.exe

    • Size

      7.0MB

    • MD5

      6b47add2cf208a988c57c8f00461de0b

    • SHA1

      cf9518f4bd3cf94ab7225423e4365f4a262a9c61

    • SHA256

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

    • SHA512

      e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

    • SSDEEP

      196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks