Overview

overview

10

Static

static

3

XbinderV2.1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XbinderV2.1.exe

  • Size

    5.0MB

  • Sample

    241119-2drsaatpf1

  • MD5

    4fae9d58f316945e4dd804b87ea448ea

  • SHA1

    2040e113ff666ff86b4c6bbe0ad8ffb90b8b08b9

  • SHA256

    fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861

  • SHA512

    609b7cd7e4baf006ddbff99e44d6724e009938bccc1ae332417abe21c0de1001275c54e33c9d18d6de751bcaa4e4f2482877368116564d0f6dca83f4ef16d3c7

  • SSDEEP

    24576:yair/rjVJbC7vztZJIS002Kgp/nn6V9g:ya07qx0Zns

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:63603

37.4.250.236:63603
Attributes
  • Install_directory

    %AppData%

  • install_file

    Runtime.exe

Targets

    • Target

      XbinderV2.1.exe

    • Size

      5.0MB

    • MD5

      4fae9d58f316945e4dd804b87ea448ea

    • SHA1

      2040e113ff666ff86b4c6bbe0ad8ffb90b8b08b9

    • SHA256

      fcde1964bf5a6864ae27f37f2275d72177414c1cc0c7a335b9016df530ca8861

    • SHA512

      609b7cd7e4baf006ddbff99e44d6724e009938bccc1ae332417abe21c0de1001275c54e33c9d18d6de751bcaa4e4f2482877368116564d0f6dca83f4ef16d3c7

    • SSDEEP

      24576:yair/rjVJbC7vztZJIS002Kgp/nn6V9g:ya07qx0Zns

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks