General

  • Target

    2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch

  • Size

    11.8MB

  • Sample

    240521-qpwd3afe8y

  • MD5

    13510ee957b93e9bc0d5f5f1ea2e981f

  • SHA1

    befa9cebba6fb51d96543a079cfbb9fc08cd4dde

  • SHA256

    13cee60c3b7075748252bda9170f1ef4bf89aa7a051669f4a359f65cfa59f7fc

  • SHA512

    835e72432560d08d71abfe544ac712fc9c32d5d36185dff9b6282833f681237dc707889f7f93df58467a4402ee7a50522a2f46a3361e70be2ea521883c1b80f2

  • SSDEEP

    196608:d/1NeAhlsGbOd4TPgUwrOZA0TQWKzpKhS/:dje8XbVTPgUwqZNxhS/

Score
10/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

20.206.207.64:7000

Mutex

3fx4DGwKa2tqA8ov

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      2024-05-21_13510ee957b93e9bc0d5f5f1ea2e981f_snatch

    • Size

      11.8MB

    • MD5

      13510ee957b93e9bc0d5f5f1ea2e981f

    • SHA1

      befa9cebba6fb51d96543a079cfbb9fc08cd4dde

    • SHA256

      13cee60c3b7075748252bda9170f1ef4bf89aa7a051669f4a359f65cfa59f7fc

    • SHA512

      835e72432560d08d71abfe544ac712fc9c32d5d36185dff9b6282833f681237dc707889f7f93df58467a4402ee7a50522a2f46a3361e70be2ea521883c1b80f2

    • SSDEEP

      196608:d/1NeAhlsGbOd4TPgUwrOZA0TQWKzpKhS/:dje8XbVTPgUwqZNxhS/

    Score
    10/10
    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks