General

  • Target

    s3.exe

  • Size

    44KB

  • Sample

    240615-exwt1syeqd

  • MD5

    c67100bb482bc085af61d23aaa2c2191

  • SHA1

    1c2dbd8605509a30cb1fee426142c381dc392db2

  • SHA256

    41c277b3d567ac5449e29328212596efe8c16bf58bc9043b70a14d7142111163

  • SHA512

    a83ee017b97d5858cb337f0f877f27cfe0fea6b0a838711db5bf4445a57ce71cf2e8a4462a38cfbbaf545ea7c0cdefcb58b30cfb9184ef76ddd71011fcfe8af0

  • SSDEEP

    768:W2aZQnlm1k5nVABNIkfVr9PDDmFEPa9Bfc6tOFhFzwtw2:WKlRcflMFd9Nc6tOFnn2

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

U7sKl0tpfhRT8PYA

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    rundll64.exe

  • pastebin_url

    https://pastebin.com/raw/EiiXCJbn

aes.plain

Targets

    • Target

      s3.exe

    • Size

      44KB

    • MD5

      c67100bb482bc085af61d23aaa2c2191

    • SHA1

      1c2dbd8605509a30cb1fee426142c381dc392db2

    • SHA256

      41c277b3d567ac5449e29328212596efe8c16bf58bc9043b70a14d7142111163

    • SHA512

      a83ee017b97d5858cb337f0f877f27cfe0fea6b0a838711db5bf4445a57ce71cf2e8a4462a38cfbbaf545ea7c0cdefcb58b30cfb9184ef76ddd71011fcfe8af0

    • SSDEEP

      768:W2aZQnlm1k5nVABNIkfVr9PDDmFEPa9Bfc6tOFhFzwtw2:WKlRcflMFd9Nc6tOFnn2

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Command and Control

Web Service

1
T1102

Tasks