Overview

overview

10

Static

static

3

KING_BOTTLE.exe

windows7-x64

10

KING_BOTTLE.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KING_BOTTLE.exe

  • Size

    105KB

  • Sample

    241109-3qse1svcpk

  • MD5

    5ee059c0e66dbcf5eaac208829cf73fb

  • SHA1

    4582948195572f2ac0428bfd0cb1708bf7297d4d

  • SHA256

    873b8992d43241a737721a289679e2c51e46ce705b5b74fd1df8e4062d7892bc

  • SHA512

    5b6b543072c73ebcc71ab9c5da88a288df0d6e3cac4828e9627440768e5a52e8b7493cba7d4bfd6aee17158665bdc92cda3dcd5e3967d88495aed8245c155cdb

  • SSDEEP

    1536:/cp9JeddKdZ9JImr2RF4a9ZhH3D3LKvGHsmt7y/gXqzKUJC9TCw0llAnJ:12jlyRF4a9ZhrIm9qHJC9TCw0bAnJ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

45.141.26.214:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    XClient.exe

Targets

    • Target

      KING_BOTTLE.exe

    • Size

      105KB

    • MD5

      5ee059c0e66dbcf5eaac208829cf73fb

    • SHA1

      4582948195572f2ac0428bfd0cb1708bf7297d4d

    • SHA256

      873b8992d43241a737721a289679e2c51e46ce705b5b74fd1df8e4062d7892bc

    • SHA512

      5b6b543072c73ebcc71ab9c5da88a288df0d6e3cac4828e9627440768e5a52e8b7493cba7d4bfd6aee17158665bdc92cda3dcd5e3967d88495aed8245c155cdb

    • SSDEEP

      1536:/cp9JeddKdZ9JImr2RF4a9ZhH3D3LKvGHsmt7y/gXqzKUJC9TCw0llAnJ:12jlyRF4a9ZhrIm9qHJC9TCw0bAnJ

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks