xworm | acda5f587b002b91116b6739d05e7ddb259acd5aa287ae3b4a577db3b32fddfd | Triage

Sharing

General

Target

BloxStrap-V2.5.5.zip
Size

3.4MB
Sample

240609-mr55hahe5t
MD5

ad29bcc9efbd41f8be4364c2470b30ba
SHA1

b9830df1e4c2b7c2d730cbfd54796b381beed839
SHA256

acda5f587b002b91116b6739d05e7ddb259acd5aa287ae3b4a577db3b32fddfd
SHA512

b0386e664916702113cb794bb3906e9f5c853ade89aed804f4d61ff7a375dcee0697ac740829d82f5892e59ff67ae5abf2e9da4e4e6818a95fcd536e9b271eb1
SSDEEP

98304:E/meE/VJ+9mLqEDMuZpyqN9O5kKDxgh1btladoJcbvvGjF:um/JgCqUfpH9L91btl9JcTQ

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

korkos.now-dns.net:888

Mutex

iEQWUmDXHZnBZ3om

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  BloxStrap-V2.5.5.zip
- Size
  
  3.4MB
- MD5
  
  ad29bcc9efbd41f8be4364c2470b30ba
- SHA1
  
  b9830df1e4c2b7c2d730cbfd54796b381beed839
- SHA256
  
  acda5f587b002b91116b6739d05e7ddb259acd5aa287ae3b4a577db3b32fddfd
- SHA512
  
  b0386e664916702113cb794bb3906e9f5c853ade89aed804f4d61ff7a375dcee0697ac740829d82f5892e59ff67ae5abf2e9da4e4e6818a95fcd536e9b271eb1
- SSDEEP
  
  98304:E/meE/VJ+9mLqEDMuZpyqN9O5kKDxgh1btladoJcbvvGjF:um/JgCqUfpH9L91btl9JcTQ
Score

1^/10
behavioral1
- Target
  
  BloxStrap.exe
- Size
  
  116KB
- MD5
  
  66ea4062ac2a0e3cd42aef5e3fac72cd
- SHA1
  
  8337510716453cca386a2ad82bb6ffb2a5cda926
- SHA256
  
  f96a006372bb95414f9ab666e6eec7aef7395debc5e426995ea04bab14201cd4
- SHA512
  
  1947461ffe98f2f71d0665e751ba9d1bac4e59389c646af84fc7eacaf70bec52b44ff130a807cd86b8db9fba3dd2870c4d6e8ebabcf61be0d480c4b00ed159de
- SSDEEP
  
  3072:CHbOfk29dliNETddwY0JwsR4TbswYqkX5bEdGDOjESHhddJWjjY/ffIg0ju2UBs6:8bOF9dXnq0ck
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Drops file in System32 directory
behavioral2
- Target
  
  strap/driver.dll
- Size
  
  267KB
- MD5
  
  d2d9494118f2748019e13cdf1332e62f
- SHA1
  
  558b6f4de044ee0c724e66efa8d6db9a3ea3b13b
- SHA256
  
  92d9371a1e92644ff976dd5a99bc0dc32c33b7504995c0a796d94d8b971fa733
- SHA512
  
  be4494fa70595d78de751573dc0d0730a39527f56ef88ff52ba0001c1ee66ee1c287bd7fe830c0c9aab0bf7dc076327ce78db5e51ff1a9e4c4a4cc8895196e39
- SSDEEP
  
  6144:CfYYWwbpO+QATJwAs/rd5oCIEzsY1bp/5oyv9kLc4C2DSY+Fqx+RmPd:CfTWYpO+jTJwlrESdp/5dv9kq8SYiqxF
Score

1^/10
behavioral3
- Target
  
  strap/prog.data
- Size
  
  7.6MB
- MD5
  
  dbb820772caf0003967ef0f269fbdeb1
- SHA1
  
  31992bd4977a7dfeba67537a2da6c9ca64bc304c
- SHA256
  
  b2ac1e407ed3ecd7c7faa6de929a68fb51145662cf793c40b69eb59295bba6bc
- SHA512
  
  e8ac879c7198dffb78bc6ee4ad49b5de40a5a7dbbda53d427d0a034941487d13c8bb2b8d590a1fcdd81cd6abb8f21fdfcd52924eb00c45a42ee06c1e4b3d590f
- SSDEEP
  
  98304:XNd5DSd5DxTsed5D2ZT00UuOYoHwfLk3vSmaR0+Mc4AN0edaAHDfysrTl1:X+sdtObAbN0u
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

behavioral3

behavioral4