Overview

overview

10

Static

static

3

resthiemai...ub.exe

windows10-ltsc 2021-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    resthiemailmatrix.hub.exe

  • Size

    118KB

  • Sample

    250305-zjrncsypv8

  • MD5

    7fc47d0f79e8bbb131e947beb67538ef

  • SHA1

    b374cf5bfa41740e6a541e1f558a9e400720493a

  • SHA256

    70fdf77f0aaca97b95c87bd9f31b0dda0f5c552b156e3788c9768dace10837f1

  • SHA512

    9d5b848d0c9075b2240d7fbda92346a5a9506e9a0689f47e185be4998442fba14f2854dfe4f794dc6bb8dbdad66927ae3fe20a3e92945b81367ddc8c9661ecb2

  • SSDEEP

    1536:cQowDILgxGY+lzyUF5g/PE3CfLSFUdo+e/erRMRsI0PiCxdm6fueNWa/FFr2DYi:1pGY+l1OUaLSFR+nsm5r+F

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

paul-nw.gl.at.ply.gg:3111

Mutex

F4I7I2sWyinFgipq

Attributes
  • Install_directory

    %AppData%

  • install_file

    kev.exe

aes.plain

Targets

    • Target

      resthiemailmatrix.hub.exe

    • Size

      118KB

    • MD5

      7fc47d0f79e8bbb131e947beb67538ef

    • SHA1

      b374cf5bfa41740e6a541e1f558a9e400720493a

    • SHA256

      70fdf77f0aaca97b95c87bd9f31b0dda0f5c552b156e3788c9768dace10837f1

    • SHA512

      9d5b848d0c9075b2240d7fbda92346a5a9506e9a0689f47e185be4998442fba14f2854dfe4f794dc6bb8dbdad66927ae3fe20a3e92945b81367ddc8c9661ecb2

    • SSDEEP

      1536:cQowDILgxGY+lzyUF5g/PE3CfLSFUdo+e/erRMRsI0PiCxdm6fueNWa/FFr2DYi:1pGY+l1OUaLSFR+nsm5r+F

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks