Overview

overview

10

Static

static

3

notepad.exe

windows7-x64

10

notepad.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    notepad.exe

  • Size

    932KB

  • Sample

    241101-wn4lyavndn

  • MD5

    c65cb44056323b27e0c14ebb39cc87ad

  • SHA1

    ece1dd8a3e1453b1eb8d8070570668a3898fb1fc

  • SHA256

    d1e5084a7735bd884c80508d2e48e8beb41c4a373eaefd40254219ed5b0f053d

  • SHA512

    72b167a09633965cf69e17e37856e57edd7d2fd2e4ba503ffbeb222b2f1f0a3d5462c13a00978c6e250d332a46db9988246b327d5857a0aafe896738f34ed5eb

  • SSDEEP

    12288:ChZ0hxc+gxrjYE25gxp+OSPAO3rFwT/2Fxb5eON5GpX:Cv0hxchxrjYx5a+OS9CL2Fxb5GJ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

83.38.28.117:1603

83.38.24.1:1603
Attributes
  • Install_directory

    %Temp%

  • install_file

    RuntimeBroker.exe

Targets

    • Target

      notepad.exe

    • Size

      932KB

    • MD5

      c65cb44056323b27e0c14ebb39cc87ad

    • SHA1

      ece1dd8a3e1453b1eb8d8070570668a3898fb1fc

    • SHA256

      d1e5084a7735bd884c80508d2e48e8beb41c4a373eaefd40254219ed5b0f053d

    • SHA512

      72b167a09633965cf69e17e37856e57edd7d2fd2e4ba503ffbeb222b2f1f0a3d5462c13a00978c6e250d332a46db9988246b327d5857a0aafe896738f34ed5eb

    • SSDEEP

      12288:ChZ0hxc+gxrjYE25gxp+OSPAO3rFwT/2Fxb5eON5GpX:Cv0hxchxrjYx5a+OS9CL2Fxb5GJ

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks