Overview

overview

10

Static

static

10

sora._gpj.scr

windows10-2004-x64

10

sora._gpj.scr

windows10-ltsc 2021-x64

10

sora._gpj.scr

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sora._gpj.Scr

  • Size

    120KB

  • Sample

    250124-3cbkcavqan

  • MD5

    6d00a564c89b3a399d499f0d28b2be48

  • SHA1

    1d5a9e16dc43ce2ac1295c47201bbf5e340931a8

  • SHA256

    654acd8d84aa1664fa2d38eae0aebfcc99380469ec13ced30a99261a8d2d20a1

  • SHA512

    394d5d0216c6c6f08950cc7829f71090a0e751f1b04c35ac5850952048f5d73057724a9604a3192d84579ccc49482ffcde6e002d05fc834cba1ddc77bfbeac64

  • SSDEEP

    1536:x0M2Mhe42I3Ytb5zzFZ9jROj88Whg+mPMOCLtx2z46pEvplVppRp2Xptp8pegphx:xrHeLISFZ9jROj+hjmPHZrwENNo

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

193.123.88.61:4444

Mutex

lUiytqUjxbuCEb6P

Attributes
  • Install_directory

    %AppData%

  • install_file

    host.exe

aes.plain

Targets

    • Target

      sora._gpj.Scr

    • Size

      120KB

    • MD5

      6d00a564c89b3a399d499f0d28b2be48

    • SHA1

      1d5a9e16dc43ce2ac1295c47201bbf5e340931a8

    • SHA256

      654acd8d84aa1664fa2d38eae0aebfcc99380469ec13ced30a99261a8d2d20a1

    • SHA512

      394d5d0216c6c6f08950cc7829f71090a0e751f1b04c35ac5850952048f5d73057724a9604a3192d84579ccc49482ffcde6e002d05fc834cba1ddc77bfbeac64

    • SSDEEP

      1536:x0M2Mhe42I3Ytb5zzFZ9jROj88Whg+mPMOCLtx2z46pEvplVppRp2Xptp8pegphx:xrHeLISFZ9jROj+hjmPHZrwENNo

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks