Overview

overview

10

Static

static

3

ing.png.exe

windows7-x64

10

ing.png.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    ing.png.exe

  • Size

    815KB

  • Sample

    240512-ntfhasdc6y

  • MD5

    0e6661bdcb33fed46336ed39d8f71fdd

  • SHA1

    fea97f35f26736bdbc8b982238aceadc5adc3af0

  • SHA256

    bab68a78b1116403210048871e781ae67207702c611dbc4b3923f79e68168948

  • SHA512

    0745a4bd7c845972761233924c14cfb574deb403903ebd687d51511c47cc1dea3c34df9543cef20c4c85227efd33145e1b3523ec4273b4e902460f585b3a833a

  • SSDEEP

    12288:yCQjgAtAHM+vetZxF5EWry8AJGy0eurNcsqPz7rTBFx+i6CgbXwwefZHXPl:y5ZWs+OZVEWry8AF2rqPnrtFxDgbeR9

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

85.203.4.146:7000

Mutex

691v03c0g8lz9y97

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

aes.plain

Targets

    • Target

      ing.png.exe

    • Size

      815KB

    • MD5

      0e6661bdcb33fed46336ed39d8f71fdd

    • SHA1

      fea97f35f26736bdbc8b982238aceadc5adc3af0

    • SHA256

      bab68a78b1116403210048871e781ae67207702c611dbc4b3923f79e68168948

    • SHA512

      0745a4bd7c845972761233924c14cfb574deb403903ebd687d51511c47cc1dea3c34df9543cef20c4c85227efd33145e1b3523ec4273b4e902460f585b3a833a

    • SSDEEP

      12288:yCQjgAtAHM+vetZxF5EWry8AJGy0eurNcsqPz7rTBFx+i6CgbXwwefZHXPl:y5ZWs+OZVEWry8AF2rqPnrtFxDgbeR9

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks