Overview

overview

10

Static

static

5

Request fo...df.exe

windows7-x64

10

Request fo...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    05112024_0048_04112024_Request for quotation.pdf.7z

  • Size

    548KB

  • Sample

    241105-a51qqazpcy

  • MD5

    eb0caa7831a6bbe636f854fadb57a664

  • SHA1

    fa4cc580f84cdc8341998e334fb66aea3abde6f0

  • SHA256

    63563e6bfbb746f8aa33ff07896b76f75638373b7ba9a5af6bc2bea66241274c

  • SHA512

    7f57ee2b30116d5a1bce0726f8afed91183c4370de2d4d3080e00ec23daa81536347163c770689a1d170415c7c6e6a7d4540086ef26184146f8a96a0b4762528

  • SSDEEP

    12288:CC0MUrkxi1S/2mPrB/ybU6ovrYaQc+McdUHyg3bTtvgxLupOkeyl2F:F/UVC2arFGU6kEc+3USg3bTKxL6Ou2F

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

195.154.49.246:2112

Mutex

iTEfRI9nTI5flg7d

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      Request for quotation.pdf.exe

    • Size

      1.1MB

    • MD5

      5fbc756d04b68cd1c66a12a56628744f

    • SHA1

      174afc1c59dd513d93afb9aa414e4a3486e8d7d2

    • SHA256

      069facb5cf9660abced4bcb48a98ab7e5e51bb311517148ec794ff6ae4985652

    • SHA512

      cb351a7675035f3e487a0d1deda13e4eb44ee74759e29d6cb4b43a990bc337afd15a5342ed543a5abb8324939ab707d347c43db7b140472529a57a9ac162b863

    • SSDEEP

      24576:AAHnh+eWsN3skA4RV1Hom2KXFmIal9tlBu0OYACQ5:3h+ZkldoPK1Xal/juPP

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks