General

  • Target

    Bloxstrap-v2.5.4.exe

  • Size

    8.1MB

  • Sample

    240531-vatddafb38

  • MD5

    0679c6591330ab2da2475ae9c59f3dd3

  • SHA1

    4a84f606f89f2efd0bac2ed81cd63261abc0bf70

  • SHA256

    669d8928c72692d168e5c283fcff37613d98e31267b81d41931651eeed78bb8b

  • SHA512

    d1ab972ef66e6277f13439de27c735b6ced33dc25c7d62faaae5c361f0bcdc63ee955a1c4e6e7aea11e50b0918417c401e1f62ca8f29801adb3c80962d8bbfb9

  • SSDEEP

    196608:9EFpft/92016gxp6mRbcYCGMcncOcWchner7UAdYZJswJHfXPzbvi+7N:9EG0Eup6qbcYCGMcncOcWchngU7ZJs0/

Malware Config

Extracted

Family

xworm

C2

selected-thongs.gl.at.ply.gg:80

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Bloxstrap-v2.5.4.exe

    • Size

      8.1MB

    • MD5

      0679c6591330ab2da2475ae9c59f3dd3

    • SHA1

      4a84f606f89f2efd0bac2ed81cd63261abc0bf70

    • SHA256

      669d8928c72692d168e5c283fcff37613d98e31267b81d41931651eeed78bb8b

    • SHA512

      d1ab972ef66e6277f13439de27c735b6ced33dc25c7d62faaae5c361f0bcdc63ee955a1c4e6e7aea11e50b0918417c401e1f62ca8f29801adb3c80962d8bbfb9

    • SSDEEP

      196608:9EFpft/92016gxp6mRbcYCGMcncOcWchner7UAdYZJswJHfXPzbvi+7N:9EG0Eup6qbcYCGMcncOcWchngU7ZJs0/

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks