General

  • Target

    Stand.Handler.bat

  • Size

    478KB

  • Sample

    240531-zdasnacd8v

  • MD5

    b6de263fec4f04997a869ed7112b8759

  • SHA1

    59d43ded2302f76f602e6ea7ae1285b373300f3b

  • SHA256

    152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44

  • SHA512

    5237ea099e1bfef0ea6daeb77a78ba45fde4facfc010fb8182568c69f9d67b6eb3bb5a74a51b54a2a89299abbc4b733f01b9ad6e2d36df857c0586a883489533

  • SSDEEP

    12288:xQVCDDh3QR1lXysnmEPVyNj00kZfwscx93Zq6rCLooR:xQIDlQRnlLy+0vscTpqPr

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:57023

Name1442-57023.portmap.host:57023

Attributes
  • Install_directory

    %Temp%

  • install_file

    Stand.exe

Targets

    • Target

      Stand.Handler.bat

    • Size

      478KB

    • MD5

      b6de263fec4f04997a869ed7112b8759

    • SHA1

      59d43ded2302f76f602e6ea7ae1285b373300f3b

    • SHA256

      152c7242abce7287170a4025def239d75c3c294e0710f7073f6bbb25abc31c44

    • SHA512

      5237ea099e1bfef0ea6daeb77a78ba45fde4facfc010fb8182568c69f9d67b6eb3bb5a74a51b54a2a89299abbc4b733f01b9ad6e2d36df857c0586a883489533

    • SSDEEP

      12288:xQVCDDh3QR1lXysnmEPVyNj00kZfwscx93Zq6rCLooR:xQIDlQRnlLy+0vscTpqPr

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks