General

  • Target

    UNBANSEVER.exe

  • Size

    759KB

  • Sample

    241029-1x8dps1cjk

  • MD5

    30485bfd2d58f3448b9b235a05b9951c

  • SHA1

    183f316fd6201eba056ccb5a8efdece5df6c8f8c

  • SHA256

    d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b

  • SHA512

    758c110ca487b2195581370fbc3021a35ebfaeffc202deedf84be2c1813de6e5cb43947ee3ee4fb2e57e369897b06bd802065a85a9dbd8138444e8471b6af252

  • SSDEEP

    12288:Ink7Er1/zPdaGn+SjpV8VnHGM/GCA9KP91jUwMf+VO:U6idxLj8BHGyRx9d3W+VO

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

45.141.26.194:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      UNBANSEVER.exe

    • Size

      759KB

    • MD5

      30485bfd2d58f3448b9b235a05b9951c

    • SHA1

      183f316fd6201eba056ccb5a8efdece5df6c8f8c

    • SHA256

      d7ffc0a81cd1bae45ba220a4fcbbae32b10cb2f7449e996bf3c57ee9b7f3c47b

    • SHA512

      758c110ca487b2195581370fbc3021a35ebfaeffc202deedf84be2c1813de6e5cb43947ee3ee4fb2e57e369897b06bd802065a85a9dbd8138444e8471b6af252

    • SSDEEP

      12288:Ink7Er1/zPdaGn+SjpV8VnHGM/GCA9KP91jUwMf+VO:U6idxLj8BHGyRx9d3W+VO

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks