Overview

overview

10

Static

static

3

2ZRahoFPSz5NUBY.exe

windows7-x64

10

2ZRahoFPSz5NUBY.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2ZRahoFPSz5NUBY.exe

  • Size

    2.9MB

  • Sample

    250306-vxcn5strv4

  • MD5

    551bdc94c503bfeffe46d96eb21484f8

  • SHA1

    b7313d730bb8f08774977229229d167dd272ce82

  • SHA256

    413f81b625d636a96eeb41de781c777c5294e7f8f5c714a1921d005e7f46800b

  • SHA512

    32d07f233f3b66a8863747b1239648e0154f17bbc9f5453a7dbbcbcb12263da31d8bed2e1194a634c8c2174635223e1abfe50bbd873ee3f60f37f77e8fb3ea59

  • SSDEEP

    49152:ULkjyaZH575syNqACjngmISzn5TfBDgTZUJ4crvFnXI6Txjj5eHKf:ULkjyaZH5iyNqlTvfRvhI6Fj5IK

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:12830

technical-tract.gl.at.ply.gg:12830
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    PyslionV1.exe

Targets

    • Target

      2ZRahoFPSz5NUBY.exe

    • Size

      2.9MB

    • MD5

      551bdc94c503bfeffe46d96eb21484f8

    • SHA1

      b7313d730bb8f08774977229229d167dd272ce82

    • SHA256

      413f81b625d636a96eeb41de781c777c5294e7f8f5c714a1921d005e7f46800b

    • SHA512

      32d07f233f3b66a8863747b1239648e0154f17bbc9f5453a7dbbcbcb12263da31d8bed2e1194a634c8c2174635223e1abfe50bbd873ee3f60f37f77e8fb3ea59

    • SSDEEP

      49152:ULkjyaZH575syNqACjngmISzn5TfBDgTZUJ4crvFnXI6Txjj5eHKf:ULkjyaZH5iyNqlTvfRvhI6Fj5IK

    Score
    10/10
    xwormdiscoverypersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks