xworm | b6f677ed348de7160677ca453846e77713ba1b2e9820b03be282956626725eca | Triage

Sharing

General

Target

boot.rar
Size

22.7MB
Sample

241109-yt5sastpan
MD5

e12309706bacdb074c6c2aaa1d38580d
SHA1

4f5a57d473d7efe3245b7b436fc7dcf2d1052068
SHA256

b6f677ed348de7160677ca453846e77713ba1b2e9820b03be282956626725eca
SHA512

c24a432945121ca5d3e1998a7f057c9901d47f7a103051a0355fd51fd9935f42cb06d30f2515874d4c6aab4ed45f83c5d72cf67918ed958c3fccc623eba504d8
SSDEEP

393216:eC6jn5+ZFgEknm4G6eRzt6/+lRE0gLfZFrRa/5Fh4vj8EXWTqbshc8rJnTtyXbt:r6j46LnoTRBliBTvrRah8jhWTqVsTtgt

Score

10^/10

xworm discovery evasion pyinstaller ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

89.213.177.171:7000

Mutex

QSt8Afyc7zR2PwtO

Attributes

Install_directory
%ProgramData%
install_file
VLC_Medai.exe

aes.plain

Targets

- Target
  
  boot/1.bat
- Size
  
  2KB
- MD5
  
  5796d9a4ba133117ed2873ea8f0a9d52
- SHA1
  
  ed249bd98b8da480c8245f20b789f75d8a8621fd
- SHA256
  
  1382faa9d7a174cd4d91ae5ea9ae3cde45b2304642cefcc7c1ee133af27f3715
- SHA512
  
  10b95f6c3cc8c070ab8c46b5f410caea7aa9811e91aaa0568094897628bd03e36db699892cbd83455259fcf698e2a3e6eeaa9190cb1842078a0fd3c7b2b7e240
Score

9^/10

evasion ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
behavioral1 behavioral2
- Target
  
  boot/1.py
- Size
  
  52B
- MD5
  
  858e1e6a179ec8058642510913727484
- SHA1
  
  91f8e721b723080885fae29b123328205f6e343a
- SHA256
  
  cda18aa05e920a58a0a46a6457a8acddca5593bb6b4c7e24c9df6bdc4ae2c74a
- SHA512
  
  7283f7bdaa06e89d948f6a79e26977b5df8fb9959e05b746659c38e7781658749c87496fc8aa91e48a79cb0a47ad88aa800c67f62a13ec01fcd893095ac50fde
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  boot/2.bat
- Size
  
  434B
- MD5
  
  336a88d531e883204b2743e782d676ff
- SHA1
  
  f804d146fd8bafa114a028554825bfddb1c2ed6d
- SHA256
  
  a3949025075c220eba433d498895a1c2b6ee6bc50bd00b7e06f6c0bee25f71b4
- SHA512
  
  e5ca61e53009083ceeaf081be5e9594a622755050daa3094a67ff742dfd157ef9aceee2ff3263a9dae71300689d5184883cfce0b1b8e11df4f54c7053cd74991
Score

7^/10
- Deletes itself
behavioral5 behavioral6
- Target
  
  boot/2.py
- Size
  
  43B
- MD5
  
  be299f09f49efe014b70364ab9e7ada3
- SHA1
  
  248f54c6a1a3aae97178fb7c4df93b6d688951a9
- SHA256
  
  790e50a960eee342bc2efe83e1ef43336694ed029f82157aa2e00790bfe3880c
- SHA512
  
  049d3c498ed74f88c54ebc255104804846413d60df9325e47a79f76e69983b6fc47f8f773f01906d801599c407bdd5ac417681102d5fe6b82fda98ccc484d538
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  boot/3.py
- Size
  
  43B
- MD5
  
  56daa0a84b917e59bf09de229103dfa3
- SHA1
  
  1b3d1b799a42531d149cd15507a557387e0c42a0
- SHA256
  
  7042bc4f8b85065d8e522dd4747e953781949e1d33d2eaf9c8ca3b72c1f2c618
- SHA512
  
  5f01f5b1b99bfe5ee6aa0fe1aab487552acaa86363f15481a02d78fd37a23910564277f1dba755e05b477acd8f4b7ffe74cb4cd4368d06787685e41a344af124
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  boot/FixBug.bat
- Size
  
  330B
- MD5
  
  23bc23e2ab92baedcc1d3a3f72d5b022
- SHA1
  
  48f3a3c131b2975da58ae857f88810c4b27e3c9d
- SHA256
  
  6637a1fb0c8065b21564c77816af2f78f49934c13d4849a01d52a735949070ed
- SHA512
  
  f175fc393e337ce565929cff9b65a15ee341028920018c104ca95185065d56f96ce988d6a20ad5657de3c5f6991ba9967dfe0dd3edb51d3348b1ee3d3c46b9c0
Score

1^/10
behavioral11 behavioral12
- Target
  
  boot/Output.exe
- Size
  
  19.1MB
- MD5
  
  1e1f058b9022cd3a95060cff1b1cf210
- SHA1
  
  3918d00edeaa189b0eac34b9eb488ef7f2c422a3
- SHA256
  
  4d220efb35e831a8663e0ab732846b70857ed6562928f22cd4bfc65dc5246a85
- SHA512
  
  b30d994bce280300743eb7b193407970b116c49d0afef9de2124c467fa5bc2c18e4bb8ff2dba65e179dab07f7bf854fd4bd8185ee1e80cdc4689fc8d24fb4edc
- SSDEEP
  
  393216:aBSZCeuEixoVYUZoQ6QzhFFkgzGAtJe2x5uubfweKOZZpk4v:aM86ixofhkyGWe2LZjpf
Score

10^/10

xworm pyinstaller rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral13 behavioral14
- Target
  
  boot/fix bug.py
- Size
  
  89B
- MD5
  
  b1e437ddd96fc2ab66abb9ecbd970e52
- SHA1
  
  791251d935d3a2c391661f72e34cebf6eb3bd0d9
- SHA256
  
  435c86438c3ea3ce0288e5675ae7c417f3a8b60441babe170aa82c4d9142576c
- SHA512
  
  b02e1af6efc4339831d33e6df46069d7e697740a5b6028b4523502e7b6408d270ad0bad70ce28d16cd8776e1b6c025aafa376aa2b197c02ec1eb1088904310b3
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  boot/gif.py
- Size
  
  775B
- MD5
  
  344077296286dad65add895bb5402c22
- SHA1
  
  a72d487ccd0fc5c06c15ee098fd4a89e2d41ef10
- SHA256
  
  5a2953bd8820145200e39f47ea624e3a727455d770c11586079e945c190a563c
- SHA512
  
  31e7b16ef3d69cbe5ffc0f20e32aa77d1338e0dc37242a7c7bc1217985b3085aae31e6902ad5d31a14a4989dc708b51b9da1a2f96e380bb47c301baeace55698
Score

3^/10

discovery
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionransomware

behavioral2

evasionransomware

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

xwormpyinstallerrattrojan

behavioral14

xwormpyinstallerrattrojan

behavioral15

behavioral16

behavioral17

behavioral18