Overview

overview

10

Static

static

10

Xine Team Mod.exe

windows7-x64

10

Xine Team Mod.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Xine Team Mod.exe

  • Size

    76KB

  • Sample

    240614-x21b4swgqp

  • MD5

    de95cbcd76f1c92273d2183d5a6a6ea4

  • SHA1

    7c130342f0b73b1549ca3019d12adb856dd738de

  • SHA256

    344297545c34a79cd93ebe538c0792c835a20e9f7deaa0803e532566287cd574

  • SHA512

    05c4ba7f6bdd796143478bf4a08c4cc0dbd1ff9e5ab825bcad0efee89d4e437d1e534239c12f61767ebe23d168ebffa6bd7c7c8f62ed242edee0b48de767c29e

  • SSDEEP

    1536:2z9NHLDDXydETgPl7w+A+CfdYb3it8gw9k7LKH62cQcFOnjOuydIQN/Y:2zfrydE82fmbyt8xsOUZFOnjOuydIKg

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

sort-advantage.gl.at.ply.gg:24061

Attributes
  • install_file

    USB.exe

Targets

    • Target

      Xine Team Mod.exe

    • Size

      76KB

    • MD5

      de95cbcd76f1c92273d2183d5a6a6ea4

    • SHA1

      7c130342f0b73b1549ca3019d12adb856dd738de

    • SHA256

      344297545c34a79cd93ebe538c0792c835a20e9f7deaa0803e532566287cd574

    • SHA512

      05c4ba7f6bdd796143478bf4a08c4cc0dbd1ff9e5ab825bcad0efee89d4e437d1e534239c12f61767ebe23d168ebffa6bd7c7c8f62ed242edee0b48de767c29e

    • SSDEEP

      1536:2z9NHLDDXydETgPl7w+A+CfdYb3it8gw9k7LKH62cQcFOnjOuydIQN/Y:2zfrydE82fmbyt8xsOUZFOnjOuydIKg

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks