Overview

overview

10

Static

static

3

steamtools.exe

windows7-x64

10

steamtools.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    steamtools.exe

  • Size

    16.5MB

  • Sample

    250308-kdt4zatrv8

  • MD5

    97592018d4745ddb6f4881afbeaab229

  • SHA1

    f72f7b9b3a17ca5df104196b13faa561f323d3c4

  • SHA256

    213f8f74208577665d8eba6e082166a4f7c69bccf53439a78352262aff155856

  • SHA512

    6f259dd64ecdf97dba0e0a581cc8b664e1fcc2d1c64e94b4654b83e6631264614f14f88857565f23e258e1fcb18590e0ac526e9b380fce88c65a0223b9fefd3d

  • SSDEEP

    393216:wvQ37gGFSrT4XvbmLeLAOqNs2WxsDneQ4LUo7DGqCcKKn:wvkSrT4XvbyeLAO2LeQ54DzKC

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

192.3.141.148:2020

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      steamtools.exe

    • Size

      16.5MB

    • MD5

      97592018d4745ddb6f4881afbeaab229

    • SHA1

      f72f7b9b3a17ca5df104196b13faa561f323d3c4

    • SHA256

      213f8f74208577665d8eba6e082166a4f7c69bccf53439a78352262aff155856

    • SHA512

      6f259dd64ecdf97dba0e0a581cc8b664e1fcc2d1c64e94b4654b83e6631264614f14f88857565f23e258e1fcb18590e0ac526e9b380fce88c65a0223b9fefd3d

    • SSDEEP

      393216:wvQ37gGFSrT4XvbmLeLAOqNs2WxsDneQ4LUo7DGqCcKKn:wvkSrT4XvbyeLAO2LeQ54DzKC

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks