General

  • Target

    Dekbangtlez.exe

  • Size

    675KB

  • Sample

    241029-1yp9hszkcw

  • MD5

    ed8c4275d9e7eb916315fec83f38375f

  • SHA1

    ee3943deb752b8f85124f5d4885a1914ac6e7d61

  • SHA256

    0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd

  • SHA512

    c2fdec5c745d8dd71cd586227909c2c6c917fca9e6ffc98bb9d7d82fb6206c545f3dc6cac7f266b074a3e06c7fae447e9516ecc66dc24122d3efa01e428b99d7

  • SSDEEP

    12288:RtQ/bSl7hk4oSEBOZh0XLiWH/2stVM/Ta5CCoyychTyS8VZmsCj3HvzBLk:xl7h1oScQh0XZH/2Ii2oyFhTyzmsCjXa

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

45.141.26.194:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      Dekbangtlez.exe

    • Size

      675KB

    • MD5

      ed8c4275d9e7eb916315fec83f38375f

    • SHA1

      ee3943deb752b8f85124f5d4885a1914ac6e7d61

    • SHA256

      0dc0610dbac4926a7d3ab442dba98ed1efdea06c7b53b690d1cd2a85e77af3fd

    • SHA512

      c2fdec5c745d8dd71cd586227909c2c6c917fca9e6ffc98bb9d7d82fb6206c545f3dc6cac7f266b074a3e06c7fae447e9516ecc66dc24122d3efa01e428b99d7

    • SSDEEP

      12288:RtQ/bSl7hk4oSEBOZh0XLiWH/2stVM/Ta5CCoyychTyS8VZmsCj3HvzBLk:xl7h1oScQh0XZH/2Ii2oyFhTyzmsCjXa

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks