General

  • Target

    NursultanLoader.exe

  • Size

    72KB

  • Sample

    240531-rpzl6abc2t

  • MD5

    d590eb23f811fadbac7c9bbba0c5f5e8

  • SHA1

    7cb1544e98620162de39055f148df4891f06ffcb

  • SHA256

    9ea7e5655b847e770ee629b265bdde6d84756ceef2b6fc2849b67ced1c16b524

  • SHA512

    dc7728efc0a824d5ad4f42c733a50d9b5514e10a4720780c4d18817ad7cc49aea23bcedc371684e72e90046e8220c655cbe416b042a6adb5be326ca6d26549ce

  • SSDEEP

    1536:IX30DjAWkrWjuCnxu8Z3hbKL8BgW6y6nOyPCoGp:I0D0KPNFhbKtnOxh

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:14677

Attributes
  • Install_directory

    %AppData%

  • install_file

    Expensive 3.1.exe

Targets

    • Target

      NursultanLoader.exe

    • Size

      72KB

    • MD5

      d590eb23f811fadbac7c9bbba0c5f5e8

    • SHA1

      7cb1544e98620162de39055f148df4891f06ffcb

    • SHA256

      9ea7e5655b847e770ee629b265bdde6d84756ceef2b6fc2849b67ced1c16b524

    • SHA512

      dc7728efc0a824d5ad4f42c733a50d9b5514e10a4720780c4d18817ad7cc49aea23bcedc371684e72e90046e8220c655cbe416b042a6adb5be326ca6d26549ce

    • SSDEEP

      1536:IX30DjAWkrWjuCnxu8Z3hbKL8BgW6y6nOyPCoGp:I0D0KPNFhbKtnOxh

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks