General

  • Target

    023d1fc5d2c9b764979305703c8fe402f8776e073cd739f8b924a3b5a2f6050d

  • Size

    5KB

  • Sample

    240830-geqldszhql

  • MD5

    82d7ae4b17d62b79fcfeb2916d09b295

  • SHA1

    a47bea5ac4dafb57cbf16dcb84e3c2ed01f9199c

  • SHA256

    023d1fc5d2c9b764979305703c8fe402f8776e073cd739f8b924a3b5a2f6050d

  • SHA512

    de6befa9a4d5e3c0ed71c60b7229955b3e59f6a8367b9f1bd2809192d8689179266ba2b057484e76f9db16bb8cc41554ae9d1db1c2ddd399f36a4cf2fc68e1ce

  • SSDEEP

    96:y7kkYGfUvclZzbqCnXjjwUNhH44nN8bhgV+tW8S4/bSqtYPmXjCSvI7shhVHfyXH:MNeYxVnXjjwUNhDNWy+tB9bSdPmTCSvY

Malware Config

Extracted

Family

xworm

Version

5.0

C2

yolomesho.work.gd:7000

Mutex

oUFURe5xwVr67Kd5

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a.js

    • Size

      441KB

    • MD5

      c7e47553b94c0d18ecf9e03b5ffec68b

    • SHA1

      bfb60db9ad9e0bd41ee2335acaa6316264c0b638

    • SHA256

      8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a

    • SHA512

      5a624285b1d9179939495c0f2baa4ecfb7cc9561098977be825ab83b6c90d5e86b4571f5cfa603d9e5e2be76b8e84153a607f26b4263cbff908bb5aca2201194

    • SSDEEP

      384:JeeeeeeeeeeeRReeeeeeeeeeeReeeeeeeeeeezeeeeeeeeeee8eeeeeeeeeeeRe4:Heo

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Download via BitsAdmin

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks