General

  • Target

    Dropper (2).exe

  • Size

    41.9MB

  • Sample

    240622-fzcplatfmj

  • MD5

    babd6786b56da7569147d78883143eab

  • SHA1

    ed9a28e3e3f992b7d5839c5ea1588bfcdaab9667

  • SHA256

    d96909b8ed210da6dbff1b6c72edfcb6136a6d67428594e0a9dac2a172f30228

  • SHA512

    feb907fa8c721ab579398fc6183a5e77cd8302fcd46a1f0de822ea0fc3362c5e78419479007dafdb2563d957eab33d27b238cdb74de0d823bec28a5ef874e329

  • SSDEEP

    98304:bMc/TKslCQjGM+iG1+vuerpKE889ViYBO5GRt8M1D1Nq6pVwRJmUiyOfW:ocOsfje1+vuHET6YHRt8w1nwmUge

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Targets

    • Target

      Dropper (2).exe

    • Size

      41.9MB

    • MD5

      babd6786b56da7569147d78883143eab

    • SHA1

      ed9a28e3e3f992b7d5839c5ea1588bfcdaab9667

    • SHA256

      d96909b8ed210da6dbff1b6c72edfcb6136a6d67428594e0a9dac2a172f30228

    • SHA512

      feb907fa8c721ab579398fc6183a5e77cd8302fcd46a1f0de822ea0fc3362c5e78419479007dafdb2563d957eab33d27b238cdb74de0d823bec28a5ef874e329

    • SSDEEP

      98304:bMc/TKslCQjGM+iG1+vuerpKE889ViYBO5GRt8M1D1Nq6pVwRJmUiyOfW:ocOsfje1+vuHET6YHRt8w1nwmUge

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks