General

  • Target

    IPstresser.bat

  • Size

    104KB

  • Sample

    240428-dddzesee72

  • MD5

    9961f5a480e3b1f40284111352e26ef9

  • SHA1

    d764ca52b356a0dddfa35fe99555be1b5cf2999c

  • SHA256

    239bafce9c2a8cffe424e4f48eee9bac08e09ab7423da9ae1e23e8ab27a5f4f4

  • SHA512

    7220340e6eeebaa2504d9c5d8f7c171ce10d794fb0c7712c54d6dac95a33b7699e482f891f52c12fdeb0caa055da6fc6e75fd76107b82ce77d8cbfd131762d1a

  • SSDEEP

    1536:7nOs1HXZcHbLD8V9u86pOzbpdYU3rKeNHcedVdzng6nFFKdEmgRUGONJtrA:rOsR+bkV9UpOzNd33uehRd7g6FFaqONc

Malware Config

Extracted

Family

xworm

C2

continue-silk.gl.at.ply.gg:58347

127.0.0.1:58347

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      IPstresser.bat

    • Size

      104KB

    • MD5

      9961f5a480e3b1f40284111352e26ef9

    • SHA1

      d764ca52b356a0dddfa35fe99555be1b5cf2999c

    • SHA256

      239bafce9c2a8cffe424e4f48eee9bac08e09ab7423da9ae1e23e8ab27a5f4f4

    • SHA512

      7220340e6eeebaa2504d9c5d8f7c171ce10d794fb0c7712c54d6dac95a33b7699e482f891f52c12fdeb0caa055da6fc6e75fd76107b82ce77d8cbfd131762d1a

    • SSDEEP

      1536:7nOs1HXZcHbLD8V9u86pOzbpdYU3rKeNHcedVdzng6nFFKdEmgRUGONJtrA:rOsR+bkV9UpOzNd33uehRd7g6FFaqONc

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks