General

  • Target

    fb18c39f77b20f1c5b2fe391afc1318f.bin

  • Size

    23KB

  • Sample

    240621-edjeksxepf

  • MD5

    7d31411ac88e0827aaf0f99f40680e17

  • SHA1

    eb747d8da2b9215955d33936ea91d87e603a3978

  • SHA256

    e6ffbcca0cf52c544269515f5e6340d92fd6f85d992b5d7cd57556e92db74197

  • SHA512

    ffd36742dffc9600299d5df60d930ac32ea228d6bb54377c989766007b2aa360e4edc509875e3101de1c21c8458272f593cbd5003a395b2ea19c6cdd92607ada

  • SSDEEP

    384:btPF/OSEXqn11PJfuRIsYIDcDvp69v/h/IxjO7KKe1Zu2efWMpA3kMclDHLC+HIu:b3/+qfRfmvYXrp6BhwxjO7WO2AvWchLh

Malware Config

Extracted

Family

xworm

Version

5.0

C2

liliana221990.duckdns.org:7000

Mutex

8rNeaQQDJANqySCC

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      RFQ_TSL104.20221024_pdf.vbs

    • Size

      400.0MB

    • MD5

      2638fb06302ad73878fd5ded3d1496c4

    • SHA1

      b5578705001d62f3c0af0ff40d36a927c2d3e587

    • SHA256

      adf773b49d8306e08b5232039e0dea143e2c015cdc731f1be86d7dd92fcca6a9

    • SHA512

      d9a91cbab5e98de178c240d5d6331f63f0525e96ff87f6c512b22a5a62aec14873ac644821ec4a9a640b24979654b37d4b10115a98e72e1590bd529cc4392ae1

    • SSDEEP

      768:8axn72mwriA9vsCP7pkYeDIOcJIzazqeWIR4hw79GiWiQgFGdM+VA:8axn72mk7leVcR+naYEM7gFGdM+VA

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

MITRE ATT&CK Enterprise v15

Tasks