General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.zip

  • Size

    6.8MB

  • Sample

    240402-mq7xpsfe2w

  • MD5

    5831e9426f6f0a1a5de61ca728119c97

  • SHA1

    b2e7090a9f7ffbd29cf0251b8484a5b9b4c67b6f

  • SHA256

    e2df271ed6a123c006d93f4442eb967be880fd7d07a24e6b56b304468f9a30c6

  • SHA512

    9c7da697ba623960dbdd5f5ea700174dcc12477fed7c7504daf9104cca8f734a30f71be3d0e060fb4a84e47319f42bd58c505ccda409e24d513b110bf973d866

  • SSDEEP

    98304:8ai13e1dYInGZomQnqRd9YCiznt25xxk0nmlIumtiiH3YBDE7QsTDHZQgaB6:8ai13e1ZnKQk/izMjmlIuziXYJ3snCE

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

    • Size

      7.0MB

    • MD5

      6b47add2cf208a988c57c8f00461de0b

    • SHA1

      cf9518f4bd3cf94ab7225423e4365f4a262a9c61

    • SHA256

      b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

    • SHA512

      e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

    • SSDEEP

      196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks