Overview

overview

10

Static

static

1

example.lnk

windows7-x64

10

example.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    example.lnk

  • Size

    106KB

  • Sample

    250306-rczfma1j14

  • MD5

    6975af881b0b0e3751002dcc064b886a

  • SHA1

    fa4fe5dfc3897677ee5b5c69cd189e4167427d37

  • SHA256

    f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

  • SHA512

    6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587

  • SSDEEP

    3072:pMFdgBocsBz76H4ELGylzlAX8tKWdJTU+S4St:pMFdgBoRN7yHOorJTU+S4St

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    NVIDIA app.exe

aes.plain

Targets

    • Target

      example.lnk

    • Size

      106KB

    • MD5

      6975af881b0b0e3751002dcc064b886a

    • SHA1

      fa4fe5dfc3897677ee5b5c69cd189e4167427d37

    • SHA256

      f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

    • SHA512

      6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587

    • SSDEEP

      3072:pMFdgBocsBz76H4ELGylzlAX8tKWdJTU+S4St:pMFdgBoRN7yHOorJTU+S4St

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks