General

  • Target

    GetRyverV1.5.exe

  • Size

    89KB

  • Sample

    240609-mazw6ahc3v

  • MD5

    5f0f7fa98655c618b7fb9bce8e01dca0

  • SHA1

    b13e2ec9f71f916b4934200901a1bd85a7e19423

  • SHA256

    68f7a4ce68d84bdde71cb6543d90e5e0e08602db22f9b6388d31876c601fac31

  • SHA512

    8c99f654d7e6a997861e3a6f01820836dc4e43bffed604e804fae06112d259f85658d1670709e5a7341d2f15ac00639f259eea724e6a618ac341bb9f9fd245d0

  • SSDEEP

    1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwiOp:P7DhdC6kzWypvaQ0FxyNTBfii

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

1Wjei6X4VHgtDydY

Attributes
  • Install_directory

    %AppData%

  • install_file

    dlhost.exe

  • pastebin_url

    https://pastebin.com/raw/pw1j2xqz

aes.plain

Targets

    • Target

      GetRyverV1.5.exe

    • Size

      89KB

    • MD5

      5f0f7fa98655c618b7fb9bce8e01dca0

    • SHA1

      b13e2ec9f71f916b4934200901a1bd85a7e19423

    • SHA256

      68f7a4ce68d84bdde71cb6543d90e5e0e08602db22f9b6388d31876c601fac31

    • SHA512

      8c99f654d7e6a997861e3a6f01820836dc4e43bffed604e804fae06112d259f85658d1670709e5a7341d2f15ac00639f259eea724e6a618ac341bb9f9fd245d0

    • SSDEEP

      1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwiOp:P7DhdC6kzWypvaQ0FxyNTBfii

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Command and Control

Web Service

1
T1102

Tasks