General

  • Target

    7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169.exe

  • Size

    3.0MB

  • Sample

    241030-c98m8svdpe

  • MD5

    649673218a19e8fd278c99d1355949f4

  • SHA1

    da2b13b98dbb3ba3973388866860cb7cb3d2b59e

  • SHA256

    7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169

  • SHA512

    5e6fab9f007e3015cc743f1ac962d77df7c479b4863e88fafc05a3a57896d7f3359afb91b18dcc88883a56c017c4fe279267a300effc37bf71c186fb080a00cd

  • SSDEEP

    24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV

Malware Config

Extracted

Family

xworm

Version

5.0

C2

193.41.226.233:2222

Mutex

Kmswbx3MNQibZuVT

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026

aes.plain

Targets

    • Target

      7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169.exe

    • Size

      3.0MB

    • MD5

      649673218a19e8fd278c99d1355949f4

    • SHA1

      da2b13b98dbb3ba3973388866860cb7cb3d2b59e

    • SHA256

      7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169

    • SHA512

      5e6fab9f007e3015cc743f1ac962d77df7c479b4863e88fafc05a3a57896d7f3359afb91b18dcc88883a56c017c4fe279267a300effc37bf71c186fb080a00cd

    • SSDEEP

      24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks