Overview

overview

10

Static

static

10

BLOODSTEALER.exe

windows7-x64

10

BLOODSTEALER.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BLOODSTEALER.exe

  • Size

    62KB

  • Sample

    250123-g8bpbswrfz

  • MD5

    d361dc014b73a322681f2fb1e83f9091

  • SHA1

    6411e30e47b02a5ead2d3b8c98105734e2dc8915

  • SHA256

    3b67604b47e117c1eff51c5e7c26c8258441c8b27809495cc7d0bb407fdbc377

  • SHA512

    8ab35a0008bd184296688fac0db593069d4d37da72777b0130ed9d1a46e9eed728e4d74206941c9eb333bd21b91a4158514e888dba0dbe99af0bbbc181fc7591

  • SSDEEP

    1536:96gXIHbI7Ef01kbhEFCJ8nm68shlOTQyAzTUk:v1kbh98n0s7OTIok

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.24:17857

Attributes
  • Install_directory

    %LocalAppData%

Targets

    • Target

      BLOODSTEALER.exe

    • Size

      62KB

    • MD5

      d361dc014b73a322681f2fb1e83f9091

    • SHA1

      6411e30e47b02a5ead2d3b8c98105734e2dc8915

    • SHA256

      3b67604b47e117c1eff51c5e7c26c8258441c8b27809495cc7d0bb407fdbc377

    • SHA512

      8ab35a0008bd184296688fac0db593069d4d37da72777b0130ed9d1a46e9eed728e4d74206941c9eb333bd21b91a4158514e888dba0dbe99af0bbbc181fc7591

    • SSDEEP

      1536:96gXIHbI7Ef01kbhEFCJ8nm68shlOTQyAzTUk:v1kbh98n0s7OTIok

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks