General

  • Target

    c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

  • Size

    434KB

  • Sample

    240621-by9wgsvdnb

  • MD5

    d9c9bb67226f0cf7ec29fb0dc84b4d90

  • SHA1

    b9bfe67a4df466960f8bcf7602f9765bab2068b4

  • SHA256

    c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db

  • SHA512

    6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5

  • SSDEEP

    12288:ExREUttQ7xmH7INep10j6oCGHsMtf8GPuxvQirSgx:ETtta8bHLI6FGH9mGPYYirSgx

Malware Config

Extracted

Family

xworm

Version

3.1

C2

omirbekov.duckdns.org:4048

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db.exe

    • Size

      434KB

    • MD5

      d9c9bb67226f0cf7ec29fb0dc84b4d90

    • SHA1

      b9bfe67a4df466960f8bcf7602f9765bab2068b4

    • SHA256

      c7ea303e79e80bb5671ede0eab7291b16e0175f73fdb217d030354c5065b64db

    • SHA512

      6348a457dab60f2dc4cbc1cca36cf89e9f9b9e08da20879b7910329c49cb214532522385b2634e973eb27845896dee3782a79aa475818724ddec5ac4c0635df5

    • SSDEEP

      12288:ExREUttQ7xmH7INep10j6oCGHsMtf8GPuxvQirSgx:ETtta8bHLI6FGH9mGPYYirSgx

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables packed with SmartAssembly

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks