Overview

overview

10

Static

static

3

Purchase-O...cr.exe

windows7-x64

7

Purchase-O...cr.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase-Order0312.scr.exe

  • Size

    1.1MB

  • Sample

    241204-k7a8ys1lfx

  • MD5

    7952a4922fababcbca3c78ee59415e9e

  • SHA1

    e3a7e223a824a6b3d2e6cd0ddf87cfeefb148af2

  • SHA256

    22a7c4f4a670d83cae15d302cc80745e342f96f3a450f8a944300727ee488288

  • SHA512

    4e6ddab2976d1cf7037e39349b48701eae1d06d34c5b20f2a5a6c5a5605b0395df10d48e0aa4a94f5f088ec4d4d5e6c14f3e6ae0eaa124572df0dd6d8156acc7

  • SSDEEP

    24576:32YbBimQPIfwcrPcam0eemF13KRx9z94zjEyftrlwT+m+sT0l:32YbBFAavmPKRrqEyftQT0l

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

xwormdnslogs.ddns.net:3361

Mutex

ACAYwiOxkGUgTG4b

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7269639819:AAEhAhUQSG9Gc6LkCmuL5O3qAZPTOuQdnsQ/sendMessage?chat_id=1984778786

aes.plain

Targets

    • Target

      Purchase-Order0312.scr.exe

    • Size

      1.1MB

    • MD5

      7952a4922fababcbca3c78ee59415e9e

    • SHA1

      e3a7e223a824a6b3d2e6cd0ddf87cfeefb148af2

    • SHA256

      22a7c4f4a670d83cae15d302cc80745e342f96f3a450f8a944300727ee488288

    • SHA512

      4e6ddab2976d1cf7037e39349b48701eae1d06d34c5b20f2a5a6c5a5605b0395df10d48e0aa4a94f5f088ec4d4d5e6c14f3e6ae0eaa124572df0dd6d8156acc7

    • SSDEEP

      24576:32YbBimQPIfwcrPcam0eemF13KRx9z94zjEyftrlwT+m+sT0l:32YbBFAavmPKRrqEyftQT0l

    Score
    10/10
    discoveryxwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks