General

  • Target

    43de230c095246934152c04d5d48751994b1f20bd08f1e5bb5738a15e3503514

  • Size

    41KB

  • Sample

    240521-k9mprsga7v

  • MD5

    f67bb681d3527e1285c2138c3e60e414

  • SHA1

    70ba55b2f36c47606f1c7835df04a4964ff36757

  • SHA256

    43de230c095246934152c04d5d48751994b1f20bd08f1e5bb5738a15e3503514

  • SHA512

    b82983acd04d66abf86f8a59c8dd1901809b8314a5c7dc9fa2c758492cb57dfe4ef06134be2d0f08d52ba049119ace9c90bfb83829215da38c5962815f880ca5

  • SSDEEP

    768:lU0MO0OwERFUa+s91Q7fRaYVO8MoJpJIF5PG9nelX6vOwh535iN:lU0M/5ET9zvy0Hfo3aFI9eB6vOwn8N

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

IfHxsdPplu71cY72

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Calculator.exe

  • pastebin_url

    https://pastebin.com/raw/WrxExzm8

aes.plain

Targets

    • Target

      43de230c095246934152c04d5d48751994b1f20bd08f1e5bb5738a15e3503514

    • Size

      41KB

    • MD5

      f67bb681d3527e1285c2138c3e60e414

    • SHA1

      70ba55b2f36c47606f1c7835df04a4964ff36757

    • SHA256

      43de230c095246934152c04d5d48751994b1f20bd08f1e5bb5738a15e3503514

    • SHA512

      b82983acd04d66abf86f8a59c8dd1901809b8314a5c7dc9fa2c758492cb57dfe4ef06134be2d0f08d52ba049119ace9c90bfb83829215da38c5962815f880ca5

    • SSDEEP

      768:lU0MO0OwERFUa+s91Q7fRaYVO8MoJpJIF5PG9nelX6vOwh535iN:lU0M/5ET9zvy0Hfo3aFI9eB6vOwn8N

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks