Overview

overview

10

Static

static

3

thegreates...55.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    thegreatestexploit55.exe

  • Size

    1.2MB

  • Sample

    240725-qfyg3atclb

  • MD5

    216ceffb3ebd8883b11b0eb72fe91814

  • SHA1

    147b8e359f979e17a36d7d1d5ba4cce7362c9deb

  • SHA256

    154cb7dda4df9940111a074bc0796b69dc80179189e8db5b3b4679fdfb2a575c

  • SHA512

    9a3ed3f564bc4c6279af7fe3213980fb16d56da86f6189e4d45e177fe89f60fa072fce3fa981959c9f3056a0b13f0e33df22c0ef3e9f09f2ad2aa3046a52e055

  • SSDEEP

    24576:jxwhaVE+QElPnbrMxUzMhuiNCMXaUbdwlXZY7j3Q55zb3AJszmzVskeul:TlTXQP9QYHSzzAJsKP

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:34663

localhost:34663

institute-springer.gl.at.ply.gg:34663
Attributes
  • Install_directory

    %AppData%

  • install_file

    OperaGX.exe

Targets

    • Target

      thegreatestexploit55.exe

    • Size

      1.2MB

    • MD5

      216ceffb3ebd8883b11b0eb72fe91814

    • SHA1

      147b8e359f979e17a36d7d1d5ba4cce7362c9deb

    • SHA256

      154cb7dda4df9940111a074bc0796b69dc80179189e8db5b3b4679fdfb2a575c

    • SHA512

      9a3ed3f564bc4c6279af7fe3213980fb16d56da86f6189e4d45e177fe89f60fa072fce3fa981959c9f3056a0b13f0e33df22c0ef3e9f09f2ad2aa3046a52e055

    • SSDEEP

      24576:jxwhaVE+QElPnbrMxUzMhuiNCMXaUbdwlXZY7j3Q55zb3AJszmzVskeul:TlTXQP9QYHSzzAJsKP

    Score
    10/10
    xwormdiscoverypersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks