Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://87.120.117.20...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://87.120.117.209/coinbase.exe

  • Sample

    241110-seaqqasleq

Score
10/10
xwormdiscoveryexecutionphishingrattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://87.120.117.209/coinbase.exe

Extracted

Family

xworm

Version

5.0

C2

87.120.117.209:7000

Mutex

U2y4hALpuDGJOJr0

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      http://87.120.117.209/coinbase.exe

    Score
    10/10
    xwormdiscoveryexecutionphishingrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to execute payload.

      execution

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: currency-file@1

      phishing

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks