Overview

overview

10

Static

static

10

XWorm-V5.0...64.exe

windows7-x64

3

XWorm-V5.0...64.exe

windows10-2004-x64

3

XWorm-V5.0...er.exe

windows7-x64

10

XWorm-V5.0...er.exe

windows10-2004-x64

10

Resubmissions

08-04-2024 14:10

240408-rg3c3sba45 10

08-04-2024 14:07

240408-re6bysah74 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm-V5.0.rar

  • Size

    28.8MB

  • Sample

    240408-rg3c3sba45

  • MD5

    f778fc725ed79c15d3ad889e7a33bea8

  • SHA1

    6dfce5a46e080fb2436b09a5ed68b98b4c28c17d

  • SHA256

    c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa

  • SHA512

    ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a

  • SSDEEP

    786432:6yo/MS7REHxn8OlhE5INyrYl4M9fumjXmwowxMza:E9iWyhE5+yreZ9tXmw/xMza

Score
10/10
agentteslaxwormagilenetrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

Rg1w8TcZ1AXGhMnB

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsDefender.exe

aes.plain

Targets

    • Target

      XWorm-V5.0/FixNoStart/Fix64.exe

    • Size

      101KB

    • MD5

      3bd72a361ce4e5514c2e6eee83f08545

    • SHA1

      a5089aa08760b87c7940e6e1e0eac39509a1a9da

    • SHA256

      62a14b870bde8d57e50360039d3474210d1fdaf490afdd1bf36ce92fbaff893b

    • SHA512

      4cc7da68e5b766be6ace9d9ae0458fd09b827fc565dc545ad9d43b4f87638e622f3d280189c23e521dbac3311c583f66d96a9ce751b9aa985036a46b0f2cbc7d

    • SSDEEP

      1536:ddWE5W74A8VeAO6qmyVttdGFQeOPigx9:NJA8VHjqmyBeu9

    Score
    3/10
    behavioral1behavioral2

    • Target

      XWorm-V5.0/XWormLoader.exe

    • Size

      111KB

    • MD5

      9158e38c3bacd6cc50e4355783fead8b

    • SHA1

      c30c982c2d061e4bd8b5e0e3f89693b3939a0833

    • SHA256

      1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda

    • SHA512

      98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd

    • SSDEEP

      1536:SrHEKSUVTbZgAfQFj9136yOsvSqmyVttdGFQeOPig09:SrFXgkQFj91/OsvSqmyBez9

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks