Overview

overview

10

Static

static

10

CrackLauncher.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nurik (1029).zip

  • Size

    362KB

  • Sample

    250306-nhzrssxpy4

  • MD5

    c3790899be884478539733b36ad3a76c

  • SHA1

    43faab1472be6b9aae19242fe695997aea1732d6

  • SHA256

    0ee44adb41c176680bd68bcc3f8c99aed0b404cedbee7cdcfa02394c8a1e6d01

  • SHA512

    004194a277d0b4bb5b4c0d4cdb5eb45bf67f38f992bb4e508a8a206f249f11d76679f929cbfb459e1a0b5e1ac7a2495e861a9dfd7b6ad996c11daf387d42b54c

  • SSDEEP

    6144:nzdiN2isCF7blAul7XG/jfC/fnlm7dWTHKSCuw+ix/xJsaesZyVMv1nlXNsi3LoL:nWpTdRACGzCHnlsSw+ixT2nV2S2LoIsN

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

funds-skating.gl.at.ply.gg:28367

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Targets

    • Target

      CrackLauncher.exe

    • Size

      602KB

    • MD5

      3f130f5434b8e3f910ed4728752d0d90

    • SHA1

      25451b8025d529012b81e38493c42c682337b148

    • SHA256

      c3d4c0d6d8bdb25a0982bb01524aea9383f4c2cfbfebdbca2982594f6d675032

    • SHA512

      63eceae915c2c7a69c2c8238d55fc595e01971ba207d7a853617cd75040bb6542228a73cd0946174bdd380f541a072efb1d01ae674182155f76cb98672330e75

    • SSDEEP

      12288:YkHpR0q8/RBgTmBbbFHOyml6bmqNjIabY1IY6QcBo:Nqp4xqd3o

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks