Overview

overview

10

Static

static

10

XWorm V5.2.exe

windows7-x64

10

XWorm V5.2.exe

windows10-2004-x64

10

XWorm.exe

windows7-x64

10

XWorm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XWorm V5.2 (1).zip

  • Size

    31.4MB

  • Sample

    240907-ztt68svdkl

  • MD5

    395316ca38db46658455f03bea5e0878

  • SHA1

    5faf5a6e98be451dc185d494198dcf6e4c40626b

  • SHA256

    4584e840367c8990cb040f840d4e6af35424e3ab7618985bfc76190757eae2a2

  • SHA512

    6e2ef62efd7a4d154b94d740229ef6d86d46bfc37bb13273a8c93e9cf4ce581fa9a7211c93637f5a30d6e92c53e13da0081847d4bc7117432dd3510555990310

  • SSDEEP

    786432:m7WDxFi5bQy5IWieaMWY+23ILk+CGr0n3opV4HU7KgA93lp:mAFi5bnuVMWY54IX3q2UWgA9D

Score
10/10
agentteslastormkittyxwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      XWorm V5.2.exe

    • Size

      9.1MB

    • MD5

      1c264a483f2f667410157dac2f067d66

    • SHA1

      4831f141b41802d06d6735b237c53f4d34e9d428

    • SHA256

      1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474

    • SHA512

      1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2

    • SSDEEP

      196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      XWorm.exe

    • Size

      9.1MB

    • MD5

      76b8dd1cc4d42ceb68720da77fa05dab

    • SHA1

      4594f0a2b104257123b72587226e0694ed410803

    • SHA256

      7eacc3500da7eeebe2936d120ac8dbc56de6f1100b0ae77b13da5ee0850af4fb

    • SHA512

      5d72ea084d0b611566eb7fc35e6994c5bfd475813739ca9f5909206c081179d94faf59f707c52f9cf60de44cd1a86a6796c5ed1fd51f20db2c31abec3b9d964e

    • SSDEEP

      3072:5BZK4Q137x/2bSinOvaYA2ewhLapuvpAsZOyMqmyBeYVYm:zZlQ137xebFVc/GWGwqqm1

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks