Overview

overview

10

Static

static

3

PO#GREEN AURA.exe

windows7-x64

7

PO#GREEN AURA.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO#GREEN AURA.img

  • Size

    154KB

  • Sample

    250306-sy4sxa1zd1

  • MD5

    794165e53b9cc7822ede72bb0c2eae2c

  • SHA1

    00fcd274e6ee06aa58e808861b62f6bc8377daed

  • SHA256

    414126c3043f1ba01115c1f4cdca23bc31936d59ceeb1107b934555b73e45146

  • SHA512

    7f828a4c3300439b0c08add9a5ca1feb69a2afb7ec770e751de9a66bf1aa3ac816d8d1d7fe10857f290f11aaf112d760771d378399a0783c399eb0c72d19f9a9

  • SSDEEP

    1536:4fDrLD7tmNEoCfjSbHb7RqWYZvZqF3c9MwsUSEJxY87d17:4HLD7Ewub70Wmy3VwQGxY87r7

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QIUpnGyi0OFuIMGO

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      PO#GREEN AURA.exe

    • Size

      103KB

    • MD5

      71e0c8f71b15046709d4e250086346a4

    • SHA1

      9536f9bc5e10128074cdd2597e970b29d44c4bcd

    • SHA256

      462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0

    • SHA512

      15cd09125122f6e79bffc9112ee888c4afef515d09a9598da2b23cbc240b043e63f1d3d6538c74fc56cd65eeeb756679f1a4d54dd74e0a026ba80a7999dff2ba

    • SSDEEP

      1536:EfDrLD7tmNEoCfjSbHb7RqWYZvZqF3c9MwsUSEJxY87d17:EHLD7Ewub70Wmy3VwQGxY87r7

    Score
    10/10
    discoveryxwormrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks