General

  • Target

    SPOILER_Nextzus_V.8.exe

  • Size

    114KB

  • Sample

    241029-1y283sskdl

  • MD5

    9a960c4436689eca6d2fba6e25378416

  • SHA1

    24597aede4f1c4cefb5da2d581771f294eda21d9

  • SHA256

    2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707

  • SHA512

    4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63

  • SSDEEP

    3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      SPOILER_Nextzus_V.8.exe

    • Size

      114KB

    • MD5

      9a960c4436689eca6d2fba6e25378416

    • SHA1

      24597aede4f1c4cefb5da2d581771f294eda21d9

    • SHA256

      2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707

    • SHA512

      4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63

    • SSDEEP

      3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks