Overview

overview

10

Static

static

10

ready.exe

windows7-x64

10

ready.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ready.exe

  • Size

    35KB

  • Sample

    240416-14gvbsfe7s

  • MD5

    d476feaed225d485ab178cd5d23411eb

  • SHA1

    6cd92177057bf3a8fe14bf3beaaca5197b64be76

  • SHA256

    c7d1e30207369d2131783197ebec2dde203c32891a1e9c261debf3698d624208

  • SHA512

    c72013f35c8866773f2de6baa2de0b5b1d6f22599259f1bd21d1191ae0c171c11231f8508f44c9bd03cf5dfcdc1271caad5deb5991069b5e368f21bd114cf258

  • SSDEEP

    768:hEW1VJlGap7cSZZ6fv9WiwzFH9l5OjhyobOW:eW13lGapfZIsZFH9l5OjxiW

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

66.66.146.74:9511

Mutex

r4Oju6JGCrZU7p49

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      ready.exe

    • Size

      35KB

    • MD5

      d476feaed225d485ab178cd5d23411eb

    • SHA1

      6cd92177057bf3a8fe14bf3beaaca5197b64be76

    • SHA256

      c7d1e30207369d2131783197ebec2dde203c32891a1e9c261debf3698d624208

    • SHA512

      c72013f35c8866773f2de6baa2de0b5b1d6f22599259f1bd21d1191ae0c171c11231f8508f44c9bd03cf5dfcdc1271caad5deb5991069b5e368f21bd114cf258

    • SSDEEP

      768:hEW1VJlGap7cSZZ6fv9WiwzFH9l5OjhyobOW:eW13lGapfZIsZFH9l5OjxiW

    Score
    10/10
    xwormpersistencerattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks