Overview

overview

10

Static

static

3

7fd5435121...70.exe

windows7-x64

7

7fd5435121...70.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe

  • Size

    5.1MB

  • Sample

    241016-fp7f8atenh

  • MD5

    f3a3332b13baa50c41644b86efdf0fe4

  • SHA1

    f3b91aa55b8dce62cb614e2a43d8e3973b1d47b6

  • SHA256

    7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970

  • SHA512

    46808e4d79d0d1fbe2835456daf31e0de9e8f296b7863f38400eaa03fbf33be450f92df16f9b77ac5bb95aa33a97d484c1c678891c6e13b151f9cb7865c99be7

  • SSDEEP

    98304:EH//4Q0gBDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIf/Yapu5koUe:0BD4aUgZLhj3gZj67xHRnFpu5kPe

Score
10/10
guloaderxwormdiscoverydownloaderpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xwor3july.duckdns.org:9402

Mutex

JIs7HXfvmVwG8wtR

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970.exe

    • Size

      5.1MB

    • MD5

      f3a3332b13baa50c41644b86efdf0fe4

    • SHA1

      f3b91aa55b8dce62cb614e2a43d8e3973b1d47b6

    • SHA256

      7fd5435121f2cb4320b1bc49400152ec3fecce7f5ce0acce56f32c327126c970

    • SHA512

      46808e4d79d0d1fbe2835456daf31e0de9e8f296b7863f38400eaa03fbf33be450f92df16f9b77ac5bb95aa33a97d484c1c678891c6e13b151f9cb7865c99be7

    • SSDEEP

      98304:EH//4Q0gBDcLaUgZLGTVCfjemnYMjgfRQ14dewsjdis7xGC4tIf/Yapu5koUe:0BD4aUgZLhj3gZj67xHRnFpu5kPe

    Score
    10/10
    discoveryguloaderxwormdownloaderpersistencerattrojan

    • Detect Xworm Payload

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks