General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.zip

  • Size

    6.8MB

  • Sample

    240402-mmp8gsfb6y

  • MD5

    31e33f941d8c08947cf7c9a9146466a5

  • SHA1

    4ea8e2c1f616a267d420430a6fff5dd4cdb663a4

  • SHA256

    5d85b89de4dac09c291d0542530284faddf664dd1b8c3ad1cba98f9efc92394f

  • SHA512

    207a9dab6e63403859ce2f4717b0698f4bfa28a0c357d07759e7f8bf6d5dc0a0786dcb50ea0491b5d9deb09b0f86141ce9f079909c14454589f345ebeb4f0a53

  • SSDEEP

    196608:ixR3ykN1jdw0gwG/wZRkJEOxdg1C2x44RhRctEKgIU+haZyEY:ixoEjdRywZ5Uu44RGfZhaZHY

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

    • Size

      7.0MB

    • MD5

      6b47add2cf208a988c57c8f00461de0b

    • SHA1

      cf9518f4bd3cf94ab7225423e4365f4a262a9c61

    • SHA256

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

    • SHA512

      e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

    • SSDEEP

      196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks