Overview

overview

10

Static

static

7

2f3fb98cde...a0.exe

windows7-x64

10

2f3fb98cde...a0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2f3fb98cde0255f83e6c5f3e9676868fe17f969a7f6103fe5db3a791ff5325a0.exe

  • Size

    2.8MB

  • Sample

    241203-qyxcqatjfr

  • MD5

    0c5dad3e8eb28ced1fa7dcff2099c889

  • SHA1

    69af5491ceb2b2889e59ddf1fea5b445c0fe1dcb

  • SHA256

    2f3fb98cde0255f83e6c5f3e9676868fe17f969a7f6103fe5db3a791ff5325a0

  • SHA512

    359ea9db76eaba98ba520df8ebf973f3ef4dd6d0e3711c1d1ebf057e5c0f2650f2c6af1a9a5a3a55efa6d400e654f30a79df86f74042788e0748817f34d6eb8d

  • SSDEEP

    49152:95VWQ4h1EtbHYF4PGVHX9gWX9cPpmnUr+Syx+UQ498iEjEv/6p3BVR51:9FjtbO4PCtDKpohbx+b4aHA/QHr1

Score
10/10
xwormdiscoveryevasionpersistenceratthemidatrojan

Malware Config

Extracted

Family

xworm

C2

canada-nervous.gl.at.ply.gg:26681

Attributes
  • Install_directory

    %AppData%

  • install_file

    scvhost.exe

  • telegram

    https://api.telegram.org/bot7556258236:AAFbbPTNmGub8pdNz3R3W7xxukN43pvt5Tc/sendMessage?chat_id=7191221522

Targets

    • Target

      2f3fb98cde0255f83e6c5f3e9676868fe17f969a7f6103fe5db3a791ff5325a0.exe

    • Size

      2.8MB

    • MD5

      0c5dad3e8eb28ced1fa7dcff2099c889

    • SHA1

      69af5491ceb2b2889e59ddf1fea5b445c0fe1dcb

    • SHA256

      2f3fb98cde0255f83e6c5f3e9676868fe17f969a7f6103fe5db3a791ff5325a0

    • SHA512

      359ea9db76eaba98ba520df8ebf973f3ef4dd6d0e3711c1d1ebf057e5c0f2650f2c6af1a9a5a3a55efa6d400e654f30a79df86f74042788e0748817f34d6eb8d

    • SSDEEP

      49152:95VWQ4h1EtbHYF4PGVHX9gWX9cPpmnUr+Syx+UQ498iEjEv/6p3BVR51:9FjtbO4PCtDKpohbx+b4aHA/QHr1

    Score
    10/10
    xwormdiscoveryevasionpersistenceratthemidatrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks