General

  • Target

    PolyBuilds_1v1.exe

  • Size

    6KB

  • Sample

    241230-qrhkzswldq

  • MD5

    d33f9bf161de3e5d13b151c761e37a8d

  • SHA1

    3a9a4dabadccc73511825bec341eeb2de3fd82ce

  • SHA256

    f9e6d4d0c0c325f5ac3cd6617b3c1bd4ac37c7de6acc35bfb60173095bd540fb

  • SHA512

    bb20c073b3735a4e3780ca6ada4005db25b79061c6cf4aacbe4656f626ba62373b878bd09965a9bbed887780fcf91e27b57bab6cb44cd0306009528cb732918b

  • SSDEEP

    96:UoQkaCRyzH7CRZ8lk8if/91UV35l1Rf9BzNt:O9zbCT8on9OV35lDf9D

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    RtkAudUService64.exe

  • pastebin_url

    https://pastebin.com/raw/6ZBHT1SN

Targets

    • Target

      PolyBuilds_1v1.exe

    • Size

      6KB

    • MD5

      d33f9bf161de3e5d13b151c761e37a8d

    • SHA1

      3a9a4dabadccc73511825bec341eeb2de3fd82ce

    • SHA256

      f9e6d4d0c0c325f5ac3cd6617b3c1bd4ac37c7de6acc35bfb60173095bd540fb

    • SHA512

      bb20c073b3735a4e3780ca6ada4005db25b79061c6cf4aacbe4656f626ba62373b878bd09965a9bbed887780fcf91e27b57bab6cb44cd0306009528cb732918b

    • SSDEEP

      96:UoQkaCRyzH7CRZ8lk8if/91UV35l1Rf9BzNt:O9zbCT8on9OV35lDf9D

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks