Overview

overview

10

Static

static

3

2025-04-06...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch

  • Size

    6.6MB

  • Sample

    250406-mvag1aypz8

  • MD5

    12778dfad55cfadd9a32f3f4b0f83d32

  • SHA1

    dc40d26edd670ee5d87633349381da36f7c7bf34

  • SHA256

    0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a

  • SHA512

    f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47

  • SSDEEP

    49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:9000

45.134.39.20:9000
Mutex

oV8zKY7m1pKloRzQ

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch

    • Size

      6.6MB

    • MD5

      12778dfad55cfadd9a32f3f4b0f83d32

    • SHA1

      dc40d26edd670ee5d87633349381da36f7c7bf34

    • SHA256

      0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a

    • SHA512

      f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47

    • SSDEEP

      49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks