General

  • Target

    XWormV5.2.exe

  • Size

    9.1MB

  • Sample

    240905-hlbw9avdkk

  • MD5

    1c264a483f2f667410157dac2f067d66

  • SHA1

    4831f141b41802d06d6735b237c53f4d34e9d428

  • SHA256

    1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474

  • SHA512

    1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2

  • SSDEEP

    196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      XWormV5.2.exe

    • Size

      9.1MB

    • MD5

      1c264a483f2f667410157dac2f067d66

    • SHA1

      4831f141b41802d06d6735b237c53f4d34e9d428

    • SHA256

      1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474

    • SHA512

      1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2

    • SSDEEP

      196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks