General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.zip

  • Size

    6.8MB

  • Sample

    240402-mahmwafa66

  • MD5

    29940b6969fc73dd0da9f273343736b0

  • SHA1

    d63777b0d1919b8ad085b77639d035eac32051ff

  • SHA256

    69443316cd3565cf0a8cf3abd871129826afa00593964771b8f2a1fbf8ffce2d

  • SHA512

    1d67adcaaefa477ef080ad401bf857d7f038ba94934429ef04b144bad5e263c58aa313b16ba09460789a7647ec666dd5821df7acb6ba3014de606ac7850fcf6b

  • SSDEEP

    196608:DewJ0njMnrLFlrVEETfT3x/m8OEbl9lfP5giXAVXHuK:DewmnjMnrp7EO9Btb9PTXm/

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

    • Size

      7.0MB

    • MD5

      6b47add2cf208a988c57c8f00461de0b

    • SHA1

      cf9518f4bd3cf94ab7225423e4365f4a262a9c61

    • SHA256

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

    • SHA512

      e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

    • SSDEEP

      196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks