General

  • Target

    Injector2.exe

  • Size

    327KB

  • Sample

    240531-mtzqhaff92

  • MD5

    3e1b6c00c152ecd0945df66e71caa4c1

  • SHA1

    6b4e5c1646cac905034b740205f6003a73e872dc

  • SHA256

    1bee8362e0fffaa161de96775b92a2b6be47e65798251d0bfd4b82d134cfbd89

  • SHA512

    82a8682d63cb88e74667b9a4824e8d832aa9116fd8854e9debc0912ce1a5437544db213e363a6cfbf42bd5a1b0ed6ba4f622803759ca66e6ab50c4ad34b4627b

  • SSDEEP

    1536:MDW2YGf/GEjNLTkAD5eZZerr+bhsFz08ISAkTO/2jxSZEsFGfFuAYCRAutPsAzAz:MDrYW/rka5Rr+bhsjItGOOj0j

Malware Config

Extracted

Family

xworm

C2

rat234678235481254.ddns.net:4782

<Xwormmm>:3412

Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      Injector2.exe

    • Size

      327KB

    • MD5

      3e1b6c00c152ecd0945df66e71caa4c1

    • SHA1

      6b4e5c1646cac905034b740205f6003a73e872dc

    • SHA256

      1bee8362e0fffaa161de96775b92a2b6be47e65798251d0bfd4b82d134cfbd89

    • SHA512

      82a8682d63cb88e74667b9a4824e8d832aa9116fd8854e9debc0912ce1a5437544db213e363a6cfbf42bd5a1b0ed6ba4f622803759ca66e6ab50c4ad34b4627b

    • SSDEEP

      1536:MDW2YGf/GEjNLTkAD5eZZerr+bhsFz08ISAkTO/2jxSZEsFGfFuAYCRAutPsAzAz:MDrYW/rka5Rr+bhsjItGOOj0j

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks