General

  • Target

    WEAPON BET 100.exe

  • Size

    14.4MB

  • Sample

    241029-1ybq5azkbx

  • MD5

    ec6587965932d9cea6d50b3f8e49f7b7

  • SHA1

    38208370466942f3951fa6826c7e542257d76023

  • SHA256

    ba927af3496ca0cb71e48e0f402a8b25d59ff78323a0ee82c39a51fbe3d4789b

  • SHA512

    3edd2b01c8d703d7adaab8189dfdc377ff9bf093a432aa5b68b3986876071e72834012fcc5b7559cbfa3535145427e6c4ca218cca7710ca2f08be873ee3fb452

  • SSDEEP

    393216:hxJ8UAUPC1PHnCTBknPW9m/UeSD4u7ttU:hxmUAUK1PHnmCWsX2t

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      WEAPON BET 100.exe

    • Size

      14.4MB

    • MD5

      ec6587965932d9cea6d50b3f8e49f7b7

    • SHA1

      38208370466942f3951fa6826c7e542257d76023

    • SHA256

      ba927af3496ca0cb71e48e0f402a8b25d59ff78323a0ee82c39a51fbe3d4789b

    • SHA512

      3edd2b01c8d703d7adaab8189dfdc377ff9bf093a432aa5b68b3986876071e72834012fcc5b7559cbfa3535145427e6c4ca218cca7710ca2f08be873ee3fb452

    • SSDEEP

      393216:hxJ8UAUPC1PHnCTBknPW9m/UeSD4u7ttU:hxmUAUK1PHnmCWsX2t

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks