General

  • Target

    UltraHook_2.exe

  • Size

    1.3MB

  • Sample

    240531-zmz4xach6z

  • MD5

    c90ce470e5a8d57b0f4db2233a775ad9

  • SHA1

    757c3abec71cc3cdcdc4bf7ac71ea188c436078d

  • SHA256

    4220bc873c501c7a34f1b9a638a5e1f32aa9904e9a5fa22e9bc742cc0879ef9a

  • SHA512

    473b3619945f10db78ccf13587f89fb115cf55929db8dd3de013c7f144e826460935f218c82776f2c1c2bc44926b5d07306fda2102bb286882bfd1a7a38f0d6e

  • SSDEEP

    24576:0VDTk3iXN0xaY2IB5F6GnIxFeKHuleVvDIx6p1T5NqNeOSarvZu8axUS2N:uomm1BjnIjRuleVvDIx6pbNqMl6faxUx

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      UltraHook_2.exe

    • Size

      1.3MB

    • MD5

      c90ce470e5a8d57b0f4db2233a775ad9

    • SHA1

      757c3abec71cc3cdcdc4bf7ac71ea188c436078d

    • SHA256

      4220bc873c501c7a34f1b9a638a5e1f32aa9904e9a5fa22e9bc742cc0879ef9a

    • SHA512

      473b3619945f10db78ccf13587f89fb115cf55929db8dd3de013c7f144e826460935f218c82776f2c1c2bc44926b5d07306fda2102bb286882bfd1a7a38f0d6e

    • SSDEEP

      24576:0VDTk3iXN0xaY2IB5F6GnIxFeKHuleVvDIx6p1T5NqNeOSarvZu8axUS2N:uomm1BjnIjRuleVvDIx6pbNqMl6faxUx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks