General
-
Target
XWorm-RAT-V2.1-main.zip
-
Size
34.0MB
-
Sample
240502-veh37sfa49
-
MD5
88dfc456336a95ffeac16d9276083b7b
-
SHA1
8949c8c8778bd6412a456212d4ba2707f12e9d7a
-
SHA256
edbdc2e1bed353b533761a069b2d9a563683318fd1657ce09f9be2fa8ccd497a
-
SHA512
988ec72613d155bc362b1c0e0f1ee731f9653947328084e96eb436e7576b8e9c5114e59488216ea4f05d48126c5dbd7e983a02a412755b59b961f15c3ceea5f5
-
SSDEEP
786432:jiIKRjrYlNTspDclWQUF4DQXzTnHB35mjVjYX/BbmLqIZW:efApsGAX0Wh35mj+bY8
Malware Config
Extracted
xworm
127.0.0.1:7000
duOqxoZJn4KwRoB3
-
install_file
USB.exe
Targets
-
-
Target
XWorm-RAT-V2.1-main.zip
-
Size
34.0MB
-
MD5
88dfc456336a95ffeac16d9276083b7b
-
SHA1
8949c8c8778bd6412a456212d4ba2707f12e9d7a
-
SHA256
edbdc2e1bed353b533761a069b2d9a563683318fd1657ce09f9be2fa8ccd497a
-
SHA512
988ec72613d155bc362b1c0e0f1ee731f9653947328084e96eb436e7576b8e9c5114e59488216ea4f05d48126c5dbd7e983a02a412755b59b961f15c3ceea5f5
-
SSDEEP
786432:jiIKRjrYlNTspDclWQUF4DQXzTnHB35mjVjYX/BbmLqIZW:efApsGAX0Wh35mj+bY8
-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-