General

  • Target

    multi tool.exe

  • Size

    123KB

  • Sample

    241017-fxt6vsxbkr

  • MD5

    ef2bef29ae78302516d7ae83449a77cf

  • SHA1

    6c7e8cc89c4d65bd3682e09de11456bd215f042b

  • SHA256

    3d6e7e00580e1b17849dcd6c80cbe10b09b2e677deda5016c3baba36517dd462

  • SHA512

    f036b16b17e90d8bcc7ea45d443d7d7fdc3b26c095f268f6d97cce31404d0e527a3e014e5650fabf3c30e3ebf0096390e547b16304abb5b4a2c015c9fb5b6694

  • SSDEEP

    3072:LutfyBqcmMDSY3K/hzwKLKJPOaHGmQOR29wxTafk2i:LS+DV3K55LKZOaGq2uxWfk

Malware Config

Extracted

Family

xworm

C2

80.76.49.114:11576

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Start .exe

Extracted

Family

xworm

Version

5.0

C2

keep-motors.gl.at.ply.gg:2646

Mutex

WuQcPA9xKpBCvpzg

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      multi tool.exe

    • Size

      123KB

    • MD5

      ef2bef29ae78302516d7ae83449a77cf

    • SHA1

      6c7e8cc89c4d65bd3682e09de11456bd215f042b

    • SHA256

      3d6e7e00580e1b17849dcd6c80cbe10b09b2e677deda5016c3baba36517dd462

    • SHA512

      f036b16b17e90d8bcc7ea45d443d7d7fdc3b26c095f268f6d97cce31404d0e527a3e014e5650fabf3c30e3ebf0096390e547b16304abb5b4a2c015c9fb5b6694

    • SSDEEP

      3072:LutfyBqcmMDSY3K/hzwKLKJPOaHGmQOR29wxTafk2i:LS+DV3K55LKZOaGq2uxWfk

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks