Overview

overview

10

Static

static

3

horizon-v1...ed.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    horizon-v1-protected.exe

  • Size

    556KB

  • Sample

    240507-v89s1sgf41

  • MD5

    7a5f937f0e2366239a8a8069a54d0904

  • SHA1

    7d4954e04d0c38b903171cdb1da333c2767d1847

  • SHA256

    4138e7635768f0d05aecc10150d3daeb4e86cb4fe6865bf34bc06c4066158b76

  • SHA512

    b344b500cd2880df8ed071bc122b836f0a65a6eb7c7e7ec23593137d5ed2ba9e7300fcb05b8498665fe5952aaf8a04bbfab08bf3e6342c7358896138e606cac4

  • SSDEEP

    12288:KA2xCnwolm0IiBCbxGSvdCSghganKbddxY5fQ3:yxCjA0viGLhmbddG5fM

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

193.161.193.99:50291

Mutex

NeiWbK1BEE6rVCrr

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      horizon-v1-protected.exe

    • Size

      556KB

    • MD5

      7a5f937f0e2366239a8a8069a54d0904

    • SHA1

      7d4954e04d0c38b903171cdb1da333c2767d1847

    • SHA256

      4138e7635768f0d05aecc10150d3daeb4e86cb4fe6865bf34bc06c4066158b76

    • SHA512

      b344b500cd2880df8ed071bc122b836f0a65a6eb7c7e7ec23593137d5ed2ba9e7300fcb05b8498665fe5952aaf8a04bbfab08bf3e6342c7358896138e606cac4

    • SSDEEP

      12288:KA2xCnwolm0IiBCbxGSvdCSghganKbddxY5fQ3:yxCjA0viGLhmbddG5fM

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks