General

  • Target

    b28a8d5f353b5a82b36efa770c99497b32b9570ff9db64cd7d99c00699c413b8

  • Size

    202KB

  • Sample

    240526-cb476aag2s

  • MD5

    169b9d2b0e1aa9b802aad505cd61a44b

  • SHA1

    026d09de7e27ad7ad9caea77b95e303b1266aa8e

  • SHA256

    b28a8d5f353b5a82b36efa770c99497b32b9570ff9db64cd7d99c00699c413b8

  • SHA512

    d047ce411163b62fab1388228a196ddc0f746ae2ae911dce19f19c55e15612de5ee81827c41d3b74f2189ea3035980a635b3712c8707b4ac5e59e2bb0840208f

  • SSDEEP

    3072:Sk2csTa8rJFf9HVUOM/8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnS:SDTauf9aUhcX7elbKTuq9bfF/H9d9n

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:52124

147.185.221.19:52124

Mutex

apN8vjmcKzKVTJXX

Attributes
  • Install_directory

    %Temp%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      b28a8d5f353b5a82b36efa770c99497b32b9570ff9db64cd7d99c00699c413b8

    • Size

      202KB

    • MD5

      169b9d2b0e1aa9b802aad505cd61a44b

    • SHA1

      026d09de7e27ad7ad9caea77b95e303b1266aa8e

    • SHA256

      b28a8d5f353b5a82b36efa770c99497b32b9570ff9db64cd7d99c00699c413b8

    • SHA512

      d047ce411163b62fab1388228a196ddc0f746ae2ae911dce19f19c55e15612de5ee81827c41d3b74f2189ea3035980a635b3712c8707b4ac5e59e2bb0840208f

    • SSDEEP

      3072:Sk2csTa8rJFf9HVUOM/8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnS:SDTauf9aUhcX7elbKTuq9bfF/H9d9n

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks