General

  • Target

    BOTTLE_config.exe

  • Size

    129KB

  • Sample

    241029-1yw23a1aqf

  • MD5

    980a7d8044ad13e6b0ba2c61b52e1365

  • SHA1

    8ce2cda11a969e97e1aac3579bebc6ff5087d87e

  • SHA256

    c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c

  • SHA512

    715ac4ea48e5f7d503b6a202a139b9e02813f7d62dee2457d54c68c28e0540cf9bb5b7131d966758d5e7acd9b341e8f2c2f3888cb3e9f5776b96fa5a94444f95

  • SSDEEP

    3072:0pJHCvpAli35r0tjLE2fWT7UIMqcgeS71zfqz6:SKAlq5wtW7Fcg9JLqz

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      BOTTLE_config.exe

    • Size

      129KB

    • MD5

      980a7d8044ad13e6b0ba2c61b52e1365

    • SHA1

      8ce2cda11a969e97e1aac3579bebc6ff5087d87e

    • SHA256

      c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c

    • SHA512

      715ac4ea48e5f7d503b6a202a139b9e02813f7d62dee2457d54c68c28e0540cf9bb5b7131d966758d5e7acd9b341e8f2c2f3888cb3e9f5776b96fa5a94444f95

    • SSDEEP

      3072:0pJHCvpAli35r0tjLE2fWT7UIMqcgeS71zfqz6:SKAlq5wtW7Fcg9JLqz

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks