xworm

General

Target

ORBIT_LOADER.rar_1
Size

351KB
Sample

240419-28dtxaaa77
MD5

d498e0674ead62bd2d465d2c74085bff
SHA1

ad62469af5bdb660b272d0696f0a730b48f5307e
SHA256

4fcc32496885b57253012e973fa87008f9dd31b65764812a2b436f310e02776a
SHA512

7d6d67ab69b3b94ec335d0ae46505c2d50db01658c67826f021ff196623720cf58a9ae611ee509e9f52ec0b97503badd3ac57423212a357831834f31a6036f21
SSDEEP

6144:OVf06RISvE5q+5KQ935GMoV9YuFDHtKWJ6hqe++w4sEMnX73XchCxjdZPkksbd7L:Wv28E55KQ9JKVaulU3c+w4sEMLcYjdZi

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

147.185.221.18:28789

Attributes

Install_directory
%AppData%
install_file
USB.exe

Targets

- Target
  
  INSTRUCTIONS.txt
- Size
  
  250B
- MD5
  
  0ba8399d87474129ed5324241f164a33
- SHA1
  
  964071af066bf019a5b3f51989095c221a7fd780
- SHA256
  
  a186b0cba59af0f81bba3430f3c707dd94bee872e55d320ec3d314b763f1f2d2
- SHA512
  
  860a93671182d37422c04cd9e48e9fe6260660d35d213e593b16d9ba6324ac0bacc9e646baa484fa67e40ed5cc0e24387c4f7bc2d2bc8b76c8413dbd0b5debf2
Score

1^/10
behavioral1
- Target
  
  KeyAuthBypass.bat
- Size
  
  303KB
- MD5
  
  c0125697130c434fdb337ae2eed19837
- SHA1
  
  82dd83d2252658eb6e2f9a79bea5670584325426
- SHA256
  
  0ff1422031c03d9a36b84a1d9949a417f805946af634c6b40f4d78287fc5e5a7
- SHA512
  
  86acf91777abfb3793a624ae69dc6d2e373ac3d807b43f519f85c46aa3c769ad1c5c1455205b42f98ee04aa1f7a1071466f2318767e671dab278f86e817e7c71
- SSDEEP
  
  6144:69eAjc5fgprVBnijYbb+kxBG6YJM/glTsZTtvbZuccrU109webL+QtlkuPl:31fgprajY3N7P/glTsZtgDVHkm
Score

10^/10

xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  ORBIT_LOADER.exe
- Size
  
  257KB
- MD5
  
  f31c297fc1d49b4a3d0a05a581cb9cb5
- SHA1
  
  fbd8e4fe4593dc695401224a83e306b69f8cb57b
- SHA256
  
  5ee96940638e550bee88191b5e0833e14bd97ebd3434ac796012624aca1089a7
- SHA512
  
  9d6285fb3f390c3a08ce0bb167a9eeeb2f7930ff72d44e1616156c7db81781686424fa108246203c6d462c14b5bc952913f67234615d512448853a5577febf74
- SSDEEP
  
  3072:kQO0XlV3MLxP2Zo2qwbK6XWRRzBBpDkqyG2gs2FqwetiE1fG3wCbTMzu:kQrvAxQLUzR3pOc3IwyirwCc
Score

7^/10

persistence
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3