General

  • Target

    VM_Dropper.exe

  • Size

    130KB

  • Sample

    240530-djtbascb4x

  • MD5

    6840b21eb384c768799185be5fd4a9a8

  • SHA1

    3d348bfb74d87807d2b52ddbb5fa6f7c384a70df

  • SHA256

    de9ea4b92ab39c4ff711fb80136eb53553d8932620a1794e41354bb5fb4060bc

  • SHA512

    c0281c653709c5a025335aa7a6b8ac0df699f281624a599b497b0dcf93b9f2b42e7614b4d1414e2a21f2315052c2c37a3c9b4952b96ce48164e81fadd40f00a9

  • SSDEEP

    1536:OiMIZ+OAo3t5jpSqxLhw3n1Dj/vpEUCnDCZI329c6Zil+WvJvE2GKMw2F+bavRA9:OiMWrBBIDTvOBEJrnF+bMAUs

Malware Config

Extracted

Family

xworm

Version

5.0

C2

san-periods.gl.at.ply.gg:45994

Mutex

1BUzRXFjTnB3BgEr

Attributes
  • Install_directory

    %AppData%

  • install_file

    svvhost.exe

aes.plain

Targets

    • Target

      VM_Dropper.exe

    • Size

      130KB

    • MD5

      6840b21eb384c768799185be5fd4a9a8

    • SHA1

      3d348bfb74d87807d2b52ddbb5fa6f7c384a70df

    • SHA256

      de9ea4b92ab39c4ff711fb80136eb53553d8932620a1794e41354bb5fb4060bc

    • SHA512

      c0281c653709c5a025335aa7a6b8ac0df699f281624a599b497b0dcf93b9f2b42e7614b4d1414e2a21f2315052c2c37a3c9b4952b96ce48164e81fadd40f00a9

    • SSDEEP

      1536:OiMIZ+OAo3t5jpSqxLhw3n1Dj/vpEUCnDCZI329c6Zil+WvJvE2GKMw2F+bavRA9:OiMWrBBIDTvOBEJrnF+bMAUs

    • Detect Xworm Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks