Overview

overview

10

Static

static

3

a52f8f78ba...57.exe

windows7-x64

10

a52f8f78ba...57.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957

  • Size

    77KB

  • Sample

    241101-vdghzsvjaq

  • MD5

    4bd68436e78a4a0f7bb552e349ab418f

  • SHA1

    a1c4c57efd9b246d85a47c523b5e0436b8c24deb

  • SHA256

    a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957

  • SHA512

    070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd

  • SSDEEP

    1536:0gfn5Lul8fEnR905wJcPaKIWs90kWTBw3ENm1Wa7v2:0gRuljR9YwJcinNedY52

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

0.tcp.in.ngrok.io:15792

Attributes
  • Install_directory

    %AppData%

  • install_file

    svсhost.exe

Targets

    • Target

      a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957

    • Size

      77KB

    • MD5

      4bd68436e78a4a0f7bb552e349ab418f

    • SHA1

      a1c4c57efd9b246d85a47c523b5e0436b8c24deb

    • SHA256

      a52f8f78ba063951c3e315c562df187b90c257a61585e4682821abf6cefec957

    • SHA512

      070ebca410b909d0e0ce4ba9a8119aa45de42e1c8cffc18916b070e2ad6012f40f1b0784c375e8100a987ce84e71e51da353444241f9301217f159681c3d1bbd

    • SSDEEP

      1536:0gfn5Lul8fEnR905wJcPaKIWs90kWTBw3ENm1Wa7v2:0gRuljR9YwJcinNedY52

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks