General

  • Target

    X-PROJECT.exe

  • Size

    127KB

  • Sample

    241029-1xw1ns1anc

  • MD5

    967ae47a2ebbc731d6c8b5a92c07f4d9

  • SHA1

    5bc6d706c70976c7db73cfc7eb040a9dd6a0d381

  • SHA256

    cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295

  • SHA512

    a393f75acb878e05a5ddc2c2826c84dffd2f7f95cd92a0b0c6ff6048e3a6831dbdc30d0239d7e1a75af50a52272a210dbd368b65c1ff957805178e3682206d32

  • SSDEEP

    1536:SvFEDx0o36CRiHNcXasFsdLB74NsK7hoOPHIPILlQTYFWJOIs2cgJFyJy+lDt:SvFE736CUHWTaLu1nZLE/cgJF1+h

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      X-PROJECT.exe

    • Size

      127KB

    • MD5

      967ae47a2ebbc731d6c8b5a92c07f4d9

    • SHA1

      5bc6d706c70976c7db73cfc7eb040a9dd6a0d381

    • SHA256

      cb30232f405584a8cafc49eb0a44fafa1ef2849d3ebb4281bdad8322258af295

    • SHA512

      a393f75acb878e05a5ddc2c2826c84dffd2f7f95cd92a0b0c6ff6048e3a6831dbdc30d0239d7e1a75af50a52272a210dbd368b65c1ff957805178e3682206d32

    • SSDEEP

      1536:SvFEDx0o36CRiHNcXasFsdLB74NsK7hoOPHIPILlQTYFWJOIs2cgJFyJy+lDt:SvFE736CUHWTaLu1nZLE/cgJF1+h

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks