Overview

overview

10

Static

static

3

conn.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    conn.exe

  • Size

    28.2MB

  • Sample

    250301-2wbh1swjw9

  • MD5

    de3ad6fa97677f05a39ab5bbbc450f26

  • SHA1

    fb9962a587f15bbcd8ec3e8ca941d7dc6509318d

  • SHA256

    f1d7950f0a491a18da7d3ca9be9b3eec461ce2b5cfd34b7c9886dd2062f16612

  • SHA512

    fbec19de5dc2d57cc927bb3e7cd11cbb0524270527cb110663fff1f987f2ecd4ce8e2ac2a7e494ebaf8379a3e071b2a6efc02ff54830c51f30e92124e45e2874

  • SSDEEP

    786432:etu0coshxWHVn6s6b64G71jaoCo1Ha2XykTxnddneL9j:Mu0jyC6Fb6V71JCo1R3dlm

Score
10/10
xwormdiscoveryexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

thetest.selfhost.co:1339

Mutex

hyd6qZsPPsPPgljc

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    DirectOutputService.exe

aes.plain

Targets

    • Target

      conn.exe

    • Size

      28.2MB

    • MD5

      de3ad6fa97677f05a39ab5bbbc450f26

    • SHA1

      fb9962a587f15bbcd8ec3e8ca941d7dc6509318d

    • SHA256

      f1d7950f0a491a18da7d3ca9be9b3eec461ce2b5cfd34b7c9886dd2062f16612

    • SHA512

      fbec19de5dc2d57cc927bb3e7cd11cbb0524270527cb110663fff1f987f2ecd4ce8e2ac2a7e494ebaf8379a3e071b2a6efc02ff54830c51f30e92124e45e2874

    • SSDEEP

      786432:etu0coshxWHVn6s6b64G71jaoCo1Ha2XykTxnddneL9j:Mu0jyC6Fb6V71JCo1R3dlm

    Score
    10/10
    xwormdiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks