Overview

overview

10

Static

static

3

Quote RFQ.exe

windows7-x64

10

Quote RFQ.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    25092024_0707_24092024_Quote RFQ.7z

  • Size

    387KB

  • Sample

    240925-hxw2kasajn

  • MD5

    ded773cc850b5142207e9b28570c48e8

  • SHA1

    28cc885c93abcfbd5f633be104eeb64a0d74f23c

  • SHA256

    f1055b0c41bbafa44020984438add0347be73b25566770ec6d2c5415f8ec2517

  • SHA512

    7327807b68643c867405c1a1f09d47b6668ee5f0924a187280c7974f927d8e3684953ba7de05d02bdfead6818bb3f05618570e37bef5f40be6a65a61d7af16fc

  • SSDEEP

    6144:1Gq+PVuSEzYL4HcPcIkj2oHDsTyga1gGIRTRLG2NzhhnW0Y0HBD5wxqP:1ZSEc44xkqTygtGORCwlrl5RP

Score
10/10
xwormdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

154.216.17.202:2324

Mutex

8W6OkECJwZ3yP7A3

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      Quote RFQ.exe

    • Size

      1010KB

    • MD5

      14d3aeef6abc3681e6bd62e11b234474

    • SHA1

      c6eca792ee935e2bc72d609885a3af5a4152f718

    • SHA256

      de6fac6b59c67176d1d70cf6880322f218db673702310ee635a44d84661e201d

    • SHA512

      d3bc1965ef46702fdf4bacf44f97d66467dddbc671095efc983b017446d6b5782c8a4b4032ec36803e2119fe1f10006e8779fb80a8858ba1cb6f9686f77ab6f5

    • SSDEEP

      6144:wl4H4444C8trzGtVlEzYLfHcmcFfp2oWBw0yga1gTI9pRLG7NzhhnW05LHWD9Vxm:A4H4444CyIlEcfvAft0ygtTURCHlny9q

    Score
    10/10
    xwormdiscoveryevasionexecutionrattrojan

    • Detect Xworm Payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks