Overview

overview

10

Static

static

3

FORNITECHEATS.exe

windows7-x64

10

FORNITECHEATS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FORNITECHEATS.exe

  • Size

    110KB

  • Sample

    250126-ge3wqatlhz

  • MD5

    75a8734fc3c824ca35076cf207464f3b

  • SHA1

    b155f2ab391a48a201325f9b8cfca29f715c6278

  • SHA256

    ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768

  • SHA512

    76bcaf6d0314ab5e0636f4620c63d89b77e0d0cc030d227580bd90ec72fcbc74ffb6c020353186c8f0437e4647e11da8fdb231acd761ecf2bbda69a3d2d2a9a5

  • SSDEEP

    3072:rYbI6yh0etRYheyF4rdzbKMxIrFvI5gcDMB:cb7HetRYhevdD+rFQ/Q

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      FORNITECHEATS.exe

    • Size

      110KB

    • MD5

      75a8734fc3c824ca35076cf207464f3b

    • SHA1

      b155f2ab391a48a201325f9b8cfca29f715c6278

    • SHA256

      ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768

    • SHA512

      76bcaf6d0314ab5e0636f4620c63d89b77e0d0cc030d227580bd90ec72fcbc74ffb6c020353186c8f0437e4647e11da8fdb231acd761ecf2bbda69a3d2d2a9a5

    • SSDEEP

      3072:rYbI6yh0etRYheyF4rdzbKMxIrFvI5gcDMB:cb7HetRYhevdD+rFQ/Q

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks