Overview

overview

10

Static

static

3

4c8c129add...27.exe

windows7-x64

10

4c8c129add...27.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c8c129addb0befc1233bcf97b5f2ba5aa768cc529d3244c7fd452b9a599ed27

  • Size

    10.3MB

  • Sample

    241118-p57atswhnc

  • MD5

    086ae059efcfa3719a91eb362ea7b0d3

  • SHA1

    60701d200851fd9ebfdd8839683c0bc0dcd01050

  • SHA256

    4c8c129addb0befc1233bcf97b5f2ba5aa768cc529d3244c7fd452b9a599ed27

  • SHA512

    8cd3cbadef4b14ddf322bc718b1a9956ce3211fcd0765ba8ef2af4ca4465cdb7baa7afdaf9e47da13d1098c5e2d0118dad7b5b85c27fcc2d5e1070f50818cb3b

  • SSDEEP

    196608:56nteHdgyFauFurL9pQQ9elLB9bRjc+TTAO8lw7NXCm9:ieHmENUelLTR5n8l+X9

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.124.219.98:7000

Mutex

MRb1Mp9n6eyda5j3

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      4c8c129addb0befc1233bcf97b5f2ba5aa768cc529d3244c7fd452b9a599ed27

    • Size

      10.3MB

    • MD5

      086ae059efcfa3719a91eb362ea7b0d3

    • SHA1

      60701d200851fd9ebfdd8839683c0bc0dcd01050

    • SHA256

      4c8c129addb0befc1233bcf97b5f2ba5aa768cc529d3244c7fd452b9a599ed27

    • SHA512

      8cd3cbadef4b14ddf322bc718b1a9956ce3211fcd0765ba8ef2af4ca4465cdb7baa7afdaf9e47da13d1098c5e2d0118dad7b5b85c27fcc2d5e1070f50818cb3b

    • SSDEEP

      196608:56nteHdgyFauFurL9pQQ9elLB9bRjc+TTAO8lw7NXCm9:ieHmENUelLTR5n8l+X9

    Score
    10/10
    xwormdiscoverypersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks