General
-
Target
9b520c079411cbfeec0cf3ff1dd32bd0N.exe
-
Size
111KB
-
Sample
240806-nmlqqs1hre
-
MD5
9b520c079411cbfeec0cf3ff1dd32bd0
-
SHA1
d53cef633fec92944221f228d3de63272fdad3d1
-
SHA256
06fe00e31bd25f1dc0db0b5b068d329491c2fe543cc06655a3dbdf69ca1c3b3b
-
SHA512
be9bd83ea11073b9039ebff6e18007ca8df437a0ee3c31d223fd8100ad7331dc28c1e95b6b1a372538e46c48fa988613d3e522d8faba9cd6c9581f3a2f327c9f
-
SSDEEP
1536:Y+qFrwBul6SqYK1Q9yEnTI4GZjzQwK5WW7VCn6Ky7FAmu3wtBUniymeq07sZPSTy:vqpwBzSVaQ9yoT2e5BV0WUniyimy1
Malware Config
Extracted
xworm
xcode001.ddns.net:5552
atLBGvHePglqMeWk
-
install_file
config.exe
Targets
-
-
Target
9b520c079411cbfeec0cf3ff1dd32bd0N.exe
-
Size
111KB
-
MD5
9b520c079411cbfeec0cf3ff1dd32bd0
-
SHA1
d53cef633fec92944221f228d3de63272fdad3d1
-
SHA256
06fe00e31bd25f1dc0db0b5b068d329491c2fe543cc06655a3dbdf69ca1c3b3b
-
SHA512
be9bd83ea11073b9039ebff6e18007ca8df437a0ee3c31d223fd8100ad7331dc28c1e95b6b1a372538e46c48fa988613d3e522d8faba9cd6c9581f3a2f327c9f
-
SSDEEP
1536:Y+qFrwBul6SqYK1Q9yEnTI4GZjzQwK5WW7VCn6Ky7FAmu3wtBUniymeq07sZPSTy:vqpwBzSVaQ9yoT2e5BV0WUniyimy1
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1