General

  • Target

    cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b.hta

  • Size

    834B

  • Sample

    240403-cdt5zach47

  • MD5

    e81963d4c5a431f529c7669d3595a943

  • SHA1

    82ac49f24caad73263ae461a2c1c7546b1ba9ded

  • SHA256

    cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b

  • SHA512

    2ba83def4a81ede89bd54a5c0d4b4592985c13a10507b9a2dfb45c46e6e234d54dc14f98562eb2d3d3766e28290e83175c098a6203dd52effacc0176da7bb209

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Targets

    • Target

      cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b.hta

    • Size

      834B

    • MD5

      e81963d4c5a431f529c7669d3595a943

    • SHA1

      82ac49f24caad73263ae461a2c1c7546b1ba9ded

    • SHA256

      cf6cab6b405f7e849e6585f6f4c1ae3fd155b75d8ceb197bd0cf46a9b4c5f91b

    • SHA512

      2ba83def4a81ede89bd54a5c0d4b4592985c13a10507b9a2dfb45c46e6e234d54dc14f98562eb2d3d3766e28290e83175c098a6203dd52effacc0176da7bb209

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks