Overview

overview

10

Static

static

10

Extra Xite...V5.exe

windows7-x64

10

Extra Xite...V5.exe

windows10-2004-x64

10

Extra Xite...V5.exe

windows7-x64

10

Extra Xite...V5.exe

windows10-2004-x64

10

Extra Xite...V5.exe

windows7-x64

1

Extra Xite...V5.exe

windows10-2004-x64

1

Realtek HD...ce.exe

windows7-x64

10

Realtek HD...ce.exe

windows10-2004-x64

10

Windows Sh...st.exe

windows7-x64

10

Windows Sh...st.exe

windows10-2004-x64

10

Realtek HD...ce.exe

windows7-x64

10

Realtek HD...ce.exe

windows10-2004-x64

10

Windows Sh...st.exe

windows7-x64

10

Windows Sh...st.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Extra Xiters Premium V5.exe

  • Size

    5.9MB

  • Sample

    241118-xfyamasfkg

  • MD5

    e7ffdefa3a610c8f84f988a2972bbcf2

  • SHA1

    1c70131c35ea7ea03322b50da0c94dd062716e6a

  • SHA256

    132936f10f4245a94e6fc13084b5cbecf2c5462bd9217050dabfb65e17605869

  • SHA512

    cf78629b72c0181952aedcf5d35b4c4ce4b80de1cf762214feac02e8ad6859bfa1ca602467de2b45b13136f6f4f8b27f6aa19024ba71cdcdd9ceb1215f2bfc34

  • SSDEEP

    98304:VIzSeUYJRQ1msWlMFCTxvMrMW2ysfKRS4EmIsCCznHbAZ1bqZ1jE4Ehc1JK9BF:VIez71mblGKBDysynINCzn8ZZadkc0F

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

147.185.221.23:53638

147.185.221.20:65300
Mutex

Itj6uNzPbdGmJ8JP

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Realtek HD Audio Universal Service.exe

aes.plain
aes.plain

Extracted

Family

xworm

C2

147.185.221.23:58112

Attributes
  • Install_directory

    %AppData%

  • install_file

    Realtek HD Audio Universal Service.exe

Targets

    • Target

      Extra Xiters Premium V5.exe

    • Size

      5.9MB

    • MD5

      e7ffdefa3a610c8f84f988a2972bbcf2

    • SHA1

      1c70131c35ea7ea03322b50da0c94dd062716e6a

    • SHA256

      132936f10f4245a94e6fc13084b5cbecf2c5462bd9217050dabfb65e17605869

    • SHA512

      cf78629b72c0181952aedcf5d35b4c4ce4b80de1cf762214feac02e8ad6859bfa1ca602467de2b45b13136f6f4f8b27f6aa19024ba71cdcdd9ceb1215f2bfc34

    • SSDEEP

      98304:VIzSeUYJRQ1msWlMFCTxvMrMW2ysfKRS4EmIsCCznHbAZ1bqZ1jE4Ehc1JK9BF:VIez71mblGKBDysynINCzn8ZZadkc0F

    Score
    10/10
    xwormdiscoveryexecutionrattrojanpersistence

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      Extra Xiters Premium V5.exe

    • Size

      5.8MB

    • MD5

      41ea3928c2700aeacdc9ed241d9aa033

    • SHA1

      45ada2718ff189d4827d65a91215811cc4146471

    • SHA256

      16203d565fa1fd81e1349b8d168c646cf2455431062ed9f2beac9155b7189883

    • SHA512

      e567d85afec1ab16b8cee7f288a7072a73685414bc6ff3471e2769e73aa9e95f8a84a83aa36d8c157382e9906a26a2a0f9eaa7b2e766e4f41caf0e950e5d3a08

    • SSDEEP

      98304:0ZmXPDwhA4u+aFyUo552ec2PsF1iSREmPsD9poItjZ1V33cEEzcrb1oI97x:0ZkLwhAt+IyZtPsb3Pm9pokZTnKib9x

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

    • Target

      Extra Xiters Premium V5.exe

    • Size

      5.9MB

    • MD5

      2a7f7c65ac271fa56379a2245e983bea

    • SHA1

      ecbb644d2cd8379198f7ffd12eb409a2e33bc4e2

    • SHA256

      87ced2cd416291ea64b8a27746ae3386fa1951a432cec2810d7b97ddd5fb530f

    • SHA512

      f3f75125ccae4423df3bae01cdb68f3ef499ba984ff96798335d3fe77a37d4403f608d38e6b01fcc18baa9f1de7c05fde36dbabb5014f1cbfaa5053909267ba9

    • SSDEEP

      98304:d1w5LHyUvM13G0TjXX7QA1dhxS6wmQsgqlBlKjZmSyx5yEBgjBrf:dIzyUvq3fXV1dhnQzqlBwZna7gj

    Score
    1/10
    behavioral5behavioral6

    • Target

      Realtek HD Audio Universal Service.exe

    • Size

      40KB

    • MD5

      a29cf6541896f5be39c930c3737ff80c

    • SHA1

      526d9571e0368b6d02130d98af32561024fdb803

    • SHA256

      75abe13c29ec2a3a864d07299830be43502cb654bc1309b20e94c786fcc38631

    • SHA512

      e883bce9aabd5999ba363eeb7260dedd08e5e7099a27d6132b93e1c1f83358613c1aea34ad90656f53c36295c1fab3eda2cfa75cb5bf1048813ad586d6ba8b3b

    • SSDEEP

      768:QBj78fx6MooenBjJfDUbtRFH9OKw6BOMhtL05jP:U78p6MLeBjJfIbDFH93w6BOMTkjP

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

    • Target

      Windows Shell Experience Host.exe

    • Size

      86KB

    • MD5

      17f122079462e212871a1e2eb20eaff9

    • SHA1

      349e4b54323acce835916a2bbe40dc9c5d30931f

    • SHA256

      f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e

    • SHA512

      95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94

    • SSDEEP

      768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      Realtek HD Audio Universal Service.exe

    • Size

      53KB

    • MD5

      ce3e5f8613ea049b651549eba3e3aa28

    • SHA1

      1197375be314ae5a69f3b742f0f539b881aca09a

    • SHA256

      9385116a4a3874548ffa027f4cd448d860ef8dc13fc687ce87790a01ede8e73a

    • SHA512

      ab1428177b5ec71447003ac01f5f99d9c7f2af634f17ef53d6f6be196714faac856b0bc3f62b6fad9975dad970ec247d35f56615c62b9ad483426f4ecaae71c2

    • SSDEEP

      768:/63AQe9cfNbv5s7Xol68y+JN/Db3dLPowu7aR6vaTOouhIZqklm:/WAQbdvoolZJ9b3dLPoCR68OnkZ8

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      Windows Shell Experience Host.exe

    • Size

      86KB

    • MD5

      17f122079462e212871a1e2eb20eaff9

    • SHA1

      349e4b54323acce835916a2bbe40dc9c5d30931f

    • SHA256

      f483197df60b8767d23fa820efaab0c6bcc3a4b02ebee3c8f1290ef699f6697e

    • SHA512

      95548cb30e9e45c4024be181253200d2188b622754158f6268fa09e41327dbb8468399a1b5ddd9d868413638bf1b9b18f6814586530f2c6a0a6cbd6311234e94

    • SSDEEP

      768:NG9nICDiZGhCMhOB0s1SbiFG9Ox7h86BOMhUL02dC+IHZK:NgICDiZQRhVeFG9e7h86BOM+Nd6c

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Tasks