Overview

overview

10

Static

static

10

z84jxn2.rar

windows7-x64

3

z84jxn2.rar

windows10-2004-x64

3

z842jxn2/z872jxn2.exe

windows7-x64

10

z842jxn2/z872jxn2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    z84jxn2.rar

  • Size

    39KB

  • Sample

    240421-dnd26shg2w

  • MD5

    9ca6caaa1fcda89d59529f1e09dc3b4c

  • SHA1

    1106f781d017d1b6c1369c600f2a8aba1239fac4

  • SHA256

    b01bb940254688c9ff0f2f7e0acc73ac7aa6c0e01c80f9417524cf7150edadfa

  • SHA512

    d58b1444253c1cde779e2a5dad7f33d19a940560f1a1935eebd8c85797126d55022cccf141ac75c3b286b194017261a308309693ccaf31efb4a39f2e7d7520e0

  • SSDEEP

    768:CtyYxjiWinegBxVUo0OXUoSy8UzNvsOajJT0VCmZ1jn5i4nWBIRxQ/:CtyyjfiN5Uo0ATSyzRsO8WVH1wIO/

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

195.35.2.168:7000

86.29.59.189:7000

72.59.79.119:7000

52.12.52.167:7000

16.39.62.122:7000
Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7082635030:AAGxz6qjNlJ3WqLSL0ZicFOCA9YHE32yRzQ/sendMessage?chat_id=6484754327

Targets

    • Target

      z84jxn2.rar

    • Size

      39KB

    • MD5

      9ca6caaa1fcda89d59529f1e09dc3b4c

    • SHA1

      1106f781d017d1b6c1369c600f2a8aba1239fac4

    • SHA256

      b01bb940254688c9ff0f2f7e0acc73ac7aa6c0e01c80f9417524cf7150edadfa

    • SHA512

      d58b1444253c1cde779e2a5dad7f33d19a940560f1a1935eebd8c85797126d55022cccf141ac75c3b286b194017261a308309693ccaf31efb4a39f2e7d7520e0

    • SSDEEP

      768:CtyYxjiWinegBxVUo0OXUoSy8UzNvsOajJT0VCmZ1jn5i4nWBIRxQ/:CtyyjfiN5Uo0ATSyzRsO8WVH1wIO/

    Score
    3/10
    behavioral1behavioral2

    • Target

      z842jxn2/z872jxn2.exe

    • Size

      69KB

    • MD5

      96d20619f6fca9f8ce04ee826bd49a1a

    • SHA1

      bbbb18c9c4a38dad5ce8cdc4dfc7bced7fa545e7

    • SHA256

      8df2b4dae2428156b659ae3e080ee5bbb71ef51c26eb90341b23ebce1217ac48

    • SHA512

      e21ef50bb1a94005ad42047c4f4ecafc5eaf56ff0ca682d79acaa885ed1f50cd1666ac98e7f111ab8879e8957ca982d2143613a12ae554308287cea901da8dca

    • SSDEEP

      1536:4piY3bmV6IfVQitW8n8aWPbQ40UqlSIgg6vgaOgy6x3c:uV3bmrfVQitX0bQ43IgROgy65c

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks