General

  • Target

    BloxstrapModded.exe

  • Size

    5.0MB

  • Sample

    240420-s1amvabg33

  • MD5

    e7b2a449870a9783f05dfb0e5875d698

  • SHA1

    84224b8024bb12aba1454110e08af2305693f84b

  • SHA256

    e30eb0a1fd5f83a514006f54ab7f25dc46c0eee126b04e3518eb2e46f988939e

  • SHA512

    daabf76af5309a142b04513af0e409e4bdaf8e86d0abaee45996632b7a6300f5d3d4d74dc750f72af9281618767505580bf26bd81ea0624021da9fffd8c4a8f3

  • SSDEEP

    1536:pmtSNh5dMtrBDrqiYQ92Zxlc9lQPykpleqqy:w8NhviV/qcwc9+aQeo

Score
10/10

Malware Config

Extracted

Family

xworm

C2

million-houston.gl.at.ply.gg:27705

Attributes
  • Install_directory

    %AppData%

  • install_file

    BloxstrapModded.exe

Targets

    • Target

      BloxstrapModded.exe

    • Size

      5.0MB

    • MD5

      e7b2a449870a9783f05dfb0e5875d698

    • SHA1

      84224b8024bb12aba1454110e08af2305693f84b

    • SHA256

      e30eb0a1fd5f83a514006f54ab7f25dc46c0eee126b04e3518eb2e46f988939e

    • SHA512

      daabf76af5309a142b04513af0e409e4bdaf8e86d0abaee45996632b7a6300f5d3d4d74dc750f72af9281618767505580bf26bd81ea0624021da9fffd8c4a8f3

    • SSDEEP

      1536:pmtSNh5dMtrBDrqiYQ92Zxlc9lQPykpleqqy:w8NhviV/qcwc9+aQeo

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks