General

  • Target

    ecdea80099e541809e0ecb95f993123974f8722ad4bb2b2bdc6b489ca02aaabd

  • Size

    978KB

  • Sample

    240830-p6z8xavekf

  • MD5

    f6e37f2a221fbca748053e8a46c3ef9f

  • SHA1

    92f1a5d8aad5bc421b803a6048a8ce0bbee0c953

  • SHA256

    ecdea80099e541809e0ecb95f993123974f8722ad4bb2b2bdc6b489ca02aaabd

  • SHA512

    3c94e63bef99ab0d1cebe8f41b737b082600f1b2f1e723d134f1a400fe9f8dea0a75b263e3f7d5fa03bb8e4c9f84c3b567567b3026c5d5cf236e3c00fdb3f272

  • SSDEEP

    384:s8U6eeeeeeeeeeeRReeeeeeeeeeeReeeeeeeeeeezeeeeeeeeeee8eeeeeeeeeeU:fU2e

Malware Config

Extracted

Family

xworm

Version

5.0

C2

yolomesho.work.gd:7000

Mutex

oUFURe5xwVr67Kd5

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      New_Document-#3765618.js

    • Size

      441KB

    • MD5

      c7e47553b94c0d18ecf9e03b5ffec68b

    • SHA1

      bfb60db9ad9e0bd41ee2335acaa6316264c0b638

    • SHA256

      8ed7810c7c48d274f4b845cb155ab61af9ac0297fceb2f356ad5557434977b5a

    • SHA512

      5a624285b1d9179939495c0f2baa4ecfb7cc9561098977be825ab83b6c90d5e86b4571f5cfa603d9e5e2be76b8e84153a607f26b4263cbff908bb5aca2201194

    • SSDEEP

      384:JeeeeeeeeeeeRReeeeeeeeeeeReeeeeeeeeeezeeeeeeeeeee8eeeeeeeeeeeRe4:Heo

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Download via BitsAdmin

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks