General

  • Target

    3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe

  • Size

    88KB

  • Sample

    241029-1yjfzaskbr

  • MD5

    d5193774c90ba82c65541beadd6c313e

  • SHA1

    3925fc50ab0c8ce843e08941cb3f418a7eae379b

  • SHA256

    c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c

  • SHA512

    f4a4e24cc173458222a742d00bf461623ab0fba5309d3d275ba93a6840a267c8d460479767f1e637e53a6933d734ce76b7e9f579b7ff3711e582eb4caf8bca54

  • SSDEEP

    1536:Pm1GBOZ7//G3CFdS313hZsB77buO4MHXpZqVhrcLEuwTnq:PmMq7bFdSF3mXimyV5mEjnq

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      3. ลบประวัติรัน ใส่ไว้ในคอมลูกค้าได้เลย.exe

    • Size

      88KB

    • MD5

      d5193774c90ba82c65541beadd6c313e

    • SHA1

      3925fc50ab0c8ce843e08941cb3f418a7eae379b

    • SHA256

      c3673d01d7ccd2a3c7735b8b00b050f731e73af3feb6e5b14bf3689bf89b884c

    • SHA512

      f4a4e24cc173458222a742d00bf461623ab0fba5309d3d275ba93a6840a267c8d460479767f1e637e53a6933d734ce76b7e9f579b7ff3711e582eb4caf8bca54

    • SSDEEP

      1536:Pm1GBOZ7//G3CFdS313hZsB77buO4MHXpZqVhrcLEuwTnq:PmMq7bFdSF3mXimyV5mEjnq

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks