Overview

overview

10

Static

static

1

nTalu.lnk

windows7-x64

3

nTalu.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nTalu.lnk

  • Size

    2KB

  • Sample

    240731-jh4crsycnb

  • MD5

    79b6a1c72f61bf2358eca72f4d67b4d7

  • SHA1

    22c3540ce90d11b32b0a9c2eae94ae467af2aabf

  • SHA256

    ee3dad6434cb64d091d15fda5900d088f46b64d0603a449d6bd46afb9705140a

  • SHA512

    839fb585a20812324f4058cb2e354be77b243c212fcf35e1c16fb2668a266cbeb784844512e0aa15e6077cf2570e88b04bb986164f4972e1bc63a61576967d6e

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

lisa22194141.duckdns.org:7000

Mutex

2tuao2989c3EVwzo

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      nTalu.lnk

    • Size

      2KB

    • MD5

      79b6a1c72f61bf2358eca72f4d67b4d7

    • SHA1

      22c3540ce90d11b32b0a9c2eae94ae467af2aabf

    • SHA256

      ee3dad6434cb64d091d15fda5900d088f46b64d0603a449d6bd46afb9705140a

    • SHA512

      839fb585a20812324f4058cb2e354be77b243c212fcf35e1c16fb2668a266cbeb784844512e0aa15e6077cf2570e88b04bb986164f4972e1bc63a61576967d6e

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks