Overview

overview

10

Static

static

10

ac9ef83f6d...8N.exe

windows7-x64

10

ac9ef83f6d...8N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ac9ef83f6d6ae646a08a97ecfe311a8beddacc41e0add58f8516b657f627ee18N

  • Size

    37KB

  • Sample

    241111-pv6ljszcnc

  • MD5

    d8dfc68d21a7cdd095bc03963a8b2fb0

  • SHA1

    7d132da41aa0180c5895132e559f6245f1feacbc

  • SHA256

    ac9ef83f6d6ae646a08a97ecfe311a8beddacc41e0add58f8516b657f627ee18

  • SHA512

    32080903a12794c3e60d8572a7c50b693a5f988fabd1679bbcce9e1bba2a6e038fa023ad95b95dd00d14e08b1ea95194ce03e371bef29b67be4a2c01872c8637

  • SSDEEP

    768:ztGRiYTgP/NNo5GfjS61216La/FP192iOphi7X:zkRi+gsGu6McLgFt92iOpeX

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

role-fresh.gl.at.ply.gg:2522

Mutex

tZ4Yyzni0aPUlFjz

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      ac9ef83f6d6ae646a08a97ecfe311a8beddacc41e0add58f8516b657f627ee18N

    • Size

      37KB

    • MD5

      d8dfc68d21a7cdd095bc03963a8b2fb0

    • SHA1

      7d132da41aa0180c5895132e559f6245f1feacbc

    • SHA256

      ac9ef83f6d6ae646a08a97ecfe311a8beddacc41e0add58f8516b657f627ee18

    • SHA512

      32080903a12794c3e60d8572a7c50b693a5f988fabd1679bbcce9e1bba2a6e038fa023ad95b95dd00d14e08b1ea95194ce03e371bef29b67be4a2c01872c8637

    • SSDEEP

      768:ztGRiYTgP/NNo5GfjS61216La/FP192iOphi7X:zkRi+gsGu6McLgFt92iOpeX

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks