General

  • Target

    Wave.exe

  • Size

    136KB

  • Sample

    250127-sle9savnfn

  • MD5

    babf5baf8e26f479242d28cd7737bfcf

  • SHA1

    b76b459b9aedf628363d3d4da27aa56e1d9a80ab

  • SHA256

    cc38061ed6436ce90ce74e3a5bb969d26b604fe7b6d45ce2f9e5f1d66d99343e

  • SHA512

    74e7f66bbceea33cbffb2b164dbc170bfed4d650edeb59b93223bcb371abb9db9b73ddfb75355181d74ed1e83e66944fed9e73bfd8c2dc93c165b479155957b6

  • SSDEEP

    3072:5zn5ndBNLQ/bXf26Oq4o4AODQBwUjWZ6RZLTNwEKWmAMMMVgdxo9p:HNLQ/bWo4AO7M1XCKm

Score
10/10

Malware Config

Extracted

Family

xworm

C2

social-decorative.gl.at.ply.gg:29942

find-soup.gl.at.ply.gg:29942

Attributes
  • Install_directory

    %Temp%

  • install_file

    XClient.exe

Targets

    • Target

      Wave.exe

    • Size

      136KB

    • MD5

      babf5baf8e26f479242d28cd7737bfcf

    • SHA1

      b76b459b9aedf628363d3d4da27aa56e1d9a80ab

    • SHA256

      cc38061ed6436ce90ce74e3a5bb969d26b604fe7b6d45ce2f9e5f1d66d99343e

    • SHA512

      74e7f66bbceea33cbffb2b164dbc170bfed4d650edeb59b93223bcb371abb9db9b73ddfb75355181d74ed1e83e66944fed9e73bfd8c2dc93c165b479155957b6

    • SSDEEP

      3072:5zn5ndBNLQ/bXf26Oq4o4AODQBwUjWZ6RZLTNwEKWmAMMMVgdxo9p:HNLQ/bWo4AO7M1XCKm

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks