General

  • Target

    XCliente.exe

  • Size

    33KB

  • Sample

    241029-2qjmfa1glr

  • MD5

    46af754270dd36d49444438d59d3dc03

  • SHA1

    3c7026e503ad99e027c441b386de18ab24417f54

  • SHA256

    6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b

  • SHA512

    38d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904

  • SSDEEP

    768:zB3hXuukvIi2lahqLeqdXFh9ZaO/hy/E33:93Euo32lahlqtFh9ZaO/kcH

Malware Config

Extracted

Family

xworm

Version

3.1

Mutex

Gz1k9z3viwF3Mfl2

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/J09JweeH

aes.plain

Targets

    • Target

      XCliente.exe

    • Size

      33KB

    • MD5

      46af754270dd36d49444438d59d3dc03

    • SHA1

      3c7026e503ad99e027c441b386de18ab24417f54

    • SHA256

      6beed422d1b8dd262962ce2b277dfa8d6f852b4572ee818d77173eea1842be4b

    • SHA512

      38d39b06c945cc3690acb463f4fceea44a8bc6d3d5862fdde34ac86e060b06e88969f431029ff83b38f25e3dd616ef64f6e9eca21dbe4d2efdae1577f096a904

    • SSDEEP

      768:zB3hXuukvIi2lahqLeqdXFh9ZaO/hy/E33:93Euo32lahlqtFh9ZaO/kcH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks