General

  • Target

    4ea74d638cf40fe1f40e6cdfe564cc55e9d2546ef856ce261a1636fc83d02a32.zip

  • Size

    3KB

  • Sample

    240403-bpenzsbf48

  • MD5

    d03bfc8079284f50346ade38cf5cc09b

  • SHA1

    7a75359a165e5325a80467a1debf273f47a97ec9

  • SHA256

    4ea74d638cf40fe1f40e6cdfe564cc55e9d2546ef856ce261a1636fc83d02a32

  • SHA512

    2752ec262e3f021414c4a51278a9939b13b7e621834fba9cfaacbda0200b1a8b7dc54669892a05cc15d6fb39e9a24081683753a1eb02daebabf6f348267cd577

Malware Config

Extracted

Family

xworm

Version

3.1

C2

marxrwonew9090.duckdns.org:9090

Mutex

jAGA4ZotP9f5mS9c

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      R9283762154.wsf

    • Size

      4KB

    • MD5

      8e047f6425b7cea3bcbaa0f78f5f7e14

    • SHA1

      815c48877684459d0ef854e868bdd6fcb3e79274

    • SHA256

      d8aea7be5efe36eb90538c5f54a02f966e95bc6475c836d94795ae67f7ff15c7

    • SHA512

      7b474beab4decea2bf793899d736e5bd4bbe07be42d6a5c55a0c7db1a7f51ab62498484ab308b3e847b973559e3b87b4e4c4182724c627cfc5889358501032ce

    • SSDEEP

      48:WTgpFb0AdhwfG6p+IhWJDUTUg5FaAuaaJZGZUoUuUdO9Q/KjBo6RBNamMB9Ug8h8:KMh/76oMG2am4Twj+nxYD8fAc

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks