Overview

overview

10

Static

static

3

33d4fd69c0...45.exe

windows7-x64

10

33d4fd69c0...45.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    7d9e874203b7c262e9adb12ca599b2732044c9fa4eba6649ebfd04f277977467

  • Size

    447KB

  • Sample

    240417-r8bdnsed2z

  • MD5

    1bb973fc23f43fc74ecadded1ff9db07

  • SHA1

    67c674239f1beaee1fd8c13ca5d57c8a58550242

  • SHA256

    7d9e874203b7c262e9adb12ca599b2732044c9fa4eba6649ebfd04f277977467

  • SHA512

    a4876e4f47e9222bf2ae557a51a607b62f4dd1f217484eeefec618840fb81115e5b162ce3cf26ab9f020c06e458e4a1b2439eb2eac2bf7fb670d62c62d64b73c

  • SSDEEP

    12288:dMAwFLDj3ZYc6u89F3AIKW+c16TNtNee/SAZp7YdL:dMAwJDjpvL89F3vL6RtNehAZpY

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

103.67.163.156:80

Mutex

GR1Ja4STO1NfgM3m

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      33d4fd69c03968b472e3b5ec2fdf43db754aeed4366ae0111ac97fd394ef1e45.exe

    • Size

      518KB

    • MD5

      d3689c6f5e4336f5c79d3b5ef5588950

    • SHA1

      2b4ec9a97aa03de5c00616b3d4f695377791155f

    • SHA256

      33d4fd69c03968b472e3b5ec2fdf43db754aeed4366ae0111ac97fd394ef1e45

    • SHA512

      0e6b81284abcbe26c821c6ee4f02f7a8933fc1704baa485ddd7a45786a4eb777ecef0df2bee924f1bdbbf70b7e7a88749bc8544109a51dd1ea3116977965af41

    • SSDEEP

      12288:N+2iN/qHSkTkOMBKZ92HV1y4jiXLhT5vW:N+19qHSiZEKX

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks