Overview

overview

10

Static

static

3

Nezur_Internal.exe

windows7-x64

Nezur_Internal.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    n4jy44.zip

  • Size

    1.1MB

  • Sample

    250119-tbx8aavjbz

  • MD5

    69970a8e87c5f74862fd8226a8caa0b1

  • SHA1

    bb6749a19c04d07b84f7928a8acf37d18abe2882

  • SHA256

    88d0612d150853b8e7f3d3e3bfbc5d96d0469df4b53b6e2afbb882e39324b3c6

  • SHA512

    1532fc72cfb5b3bd6e0e274e5d6fe1f3226ded0415aa5baf7d1d6828094fe2dc0e4fb13449f1f2fee9ef0994222bea5d8d83074f8d3f58bd18a8a706f7395a5d

  • SSDEEP

    24576:VpTcb0buDzgfSKWQKGPzhfdfy2Np9nSlBYJkH4ghPDgeA/M:VpjqDEfyGPzXy2Npcla8h5OM

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

drive-mens.gl.at.ply.gg:20498

Attributes
  • Install_directory

    %AppData%

  • install_file

    SystemUser.exe

Targets

    • Target

      Nezur_Internal.exe

    • Size

      1.3MB

    • MD5

      c8e3253dfa6d5a21b87950dd7eb2c652

    • SHA1

      c0d8849408efd3b42e07b8f43ecb2979158c9c0f

    • SHA256

      b8d5ab8adf0da37f5fcd09e09d3bab66458f4cd6fefc5760daa8c247fd55eb76

    • SHA512

      efa4cc3ccaa797c9f9c64c4aa6f4f0aa995d3e36bfe0563b7ffce0978ff880bc4fa913c363fbf7792fe552753098e870642b35602cf8625938e9ff84a1d376d9

    • SSDEEP

      24576:cUTaQIolipFeyKvY4JMdA9MpBO++aBIbH1CAB1v:caIowzeth9KIbHhBp

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks