General

  • Target

    FullOption_2.1Xenos.exe

  • Size

    4.0MB

  • Sample

    241029-z6pghszgjp

  • MD5

    b764464ce51f73187f506614a94e9203

  • SHA1

    69e7f6c422aa7df6c5f6f7cf2d2cdd559239afbb

  • SHA256

    9ae862326eec8697ced81adb55e64704dcbe137e967f932518749b2f6458b051

  • SHA512

    b14e452bf906696721ba1e453848a5be56a57ebe98f5f706bf8f5bb7f9e9b395953977e2c3b97c08d7ac374355f49a49cf5d903b1a0435ebe6888c33518ac614

  • SSDEEP

    98304:jhPEqi3eke7TEDTc8WUshRoe3lGbdHjUJeDofmS4xWs:jh8qig7IDYr13whv0O1B

Score
10/10

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Targets

    • Target

      FullOption_2.1Xenos.exe

    • Size

      4.0MB

    • MD5

      b764464ce51f73187f506614a94e9203

    • SHA1

      69e7f6c422aa7df6c5f6f7cf2d2cdd559239afbb

    • SHA256

      9ae862326eec8697ced81adb55e64704dcbe137e967f932518749b2f6458b051

    • SHA512

      b14e452bf906696721ba1e453848a5be56a57ebe98f5f706bf8f5bb7f9e9b395953977e2c3b97c08d7ac374355f49a49cf5d903b1a0435ebe6888c33518ac614

    • SSDEEP

      98304:jhPEqi3eke7TEDTc8WUshRoe3lGbdHjUJeDofmS4xWs:jh8qig7IDYr13whv0O1B

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks