Overview

overview

10

Static

static

3

e7f0e5b269...4d.exe

windows7-x64

10

e7f0e5b269...4d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

  • Size

    1.2MB

  • Sample

    241106-vsgsaswqcj

  • MD5

    8fb19c3d4cb103c9c135b8cb66a3b69f

  • SHA1

    b16e6b15410da8ec3e35fda27d6950faeecaefff

  • SHA256

    e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

  • SHA512

    502c7b57c08addd41d1de3ae7978d3caeb1841e55313c2fc5a7519efab661d27470388e0e5a8c47c0e03160c448331172ff73845f21f29ec5c190d9959c10262

  • SSDEEP

    24576:GbypZzt2/HBrpbIQPl5JDM/8qb3Ma1zQYHRgR9Vj:Guzt0lP5wf1caSR

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

primary.fastly-dns.com:54984

kbk.con-ip.com:54984
Mutex

UvbWPurmSYHI9fDh

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

    • Size

      1.2MB

    • MD5

      8fb19c3d4cb103c9c135b8cb66a3b69f

    • SHA1

      b16e6b15410da8ec3e35fda27d6950faeecaefff

    • SHA256

      e7f0e5b269709e0c1038f76d1073bf614308dfc5cac8beb1c2c39d6704eb804d

    • SHA512

      502c7b57c08addd41d1de3ae7978d3caeb1841e55313c2fc5a7519efab661d27470388e0e5a8c47c0e03160c448331172ff73845f21f29ec5c190d9959c10262

    • SSDEEP

      24576:GbypZzt2/HBrpbIQPl5JDM/8qb3Ma1zQYHRgR9Vj:Guzt0lP5wf1caSR

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks