General

  • Target

    XWorm V5.6.rar

  • Size

    22.8MB

  • Sample

    250324-wrtadaxly9

  • MD5

    4aa656911a46847468e480e74f37ae67

  • SHA1

    340062970bc70a29707470afc0e66ebc9e1b507e

  • SHA256

    3dcf82a5dcd4001b480d8f66c5fcf909c4ebfa1bb5a1d0870f93a0d571e1e522

  • SHA512

    b5917ede96fe387b854a0dbb0458417107c8aa49d8e1beea75f64bb3745dde3eaf440b2a050ae88f944469fcdd31ef9492d5b3fa5c4a8312628480e1fa22cde2

  • SSDEEP

    393216:3Q1PVYEBgaO7X32A4SM063jkxjeyYJTij/OzPj0uBki7X5urBRxPPS13LmVBXa:A1BmaO7X319Mr3jYeySTiTODj0uywX8G

Malware Config

Targets

    • Target

      XWorm V5.6.rar

    • Size

      22.8MB

    • MD5

      4aa656911a46847468e480e74f37ae67

    • SHA1

      340062970bc70a29707470afc0e66ebc9e1b507e

    • SHA256

      3dcf82a5dcd4001b480d8f66c5fcf909c4ebfa1bb5a1d0870f93a0d571e1e522

    • SHA512

      b5917ede96fe387b854a0dbb0458417107c8aa49d8e1beea75f64bb3745dde3eaf440b2a050ae88f944469fcdd31ef9492d5b3fa5c4a8312628480e1fa22cde2

    • SSDEEP

      393216:3Q1PVYEBgaO7X32A4SM063jkxjeyYJTij/OzPj0uBki7X5urBRxPPS13LmVBXa:A1BmaO7X319Mr3jYeySTiTODj0uywX8G

    • Detect Xworm Payload

    • Njrat family

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Modifies Windows Firewall

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks