General

  • Target

    s.exe

  • Size

    1.1MB

  • Sample

    240531-2qd2ysgc7x

  • MD5

    09633ffe1d3b4c7a747e4408f8efbce5

  • SHA1

    1204d7963755d1d126b4b37110b3ce9aa363be26

  • SHA256

    a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb

  • SHA512

    63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60

  • SSDEEP

    24576:lnRvWL+3S3y1JWGBjuRnuIppDos2THHyrHJmvX34IRpJlcin00I9nO2dhCzOqyCW:lnRvWL+3S3qQ+tOobrSjW34IRDain00I

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      s.exe

    • Size

      1.1MB

    • MD5

      09633ffe1d3b4c7a747e4408f8efbce5

    • SHA1

      1204d7963755d1d126b4b37110b3ce9aa363be26

    • SHA256

      a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb

    • SHA512

      63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60

    • SSDEEP

      24576:lnRvWL+3S3y1JWGBjuRnuIppDos2THHyrHJmvX34IRpJlcin00I9nO2dhCzOqyCW:lnRvWL+3S3qQ+tOobrSjW34IRDain00I

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks