Overview

overview

10

Static

static

10

PJsPp3e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PJsPp3e.exe

  • Size

    43KB

  • Sample

    250406-np3r2azms3

  • MD5

    ea69167000ca8cd93a6f327c19a1c7c9

  • SHA1

    2af8e932bd1a6bf0c0074ef98e12bc34c26f8994

  • SHA256

    73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934

  • SHA512

    5291d96024760668e525b2ef97b8b41f83d94d15911acbf1b82b970a1d5a8647fe78a779df46c83bac2a471b7fbd512942aa841d680447e63af8a4db0735d3c9

  • SSDEEP

    768:tlqRZ9SFb+U89ORdtwDTUF59EWlOChlf9dTsL:tERZ9q1HtgQF59EWlOC7VlsL

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:6666

5.180.155.29:6666
Mutex

QPPP7ypX2vFWlxk3

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot8016176478:AAGVLtLncU8-ZLd-P86FqeQzAOXJybu2R9g/sendMessage?chat_id=5165347769

aes.plain

Targets

    • Target

      PJsPp3e.exe

    • Size

      43KB

    • MD5

      ea69167000ca8cd93a6f327c19a1c7c9

    • SHA1

      2af8e932bd1a6bf0c0074ef98e12bc34c26f8994

    • SHA256

      73c6fa2e52043649f60d92324da6b3668553539f4c6b43f595e4e093f7883934

    • SHA512

      5291d96024760668e525b2ef97b8b41f83d94d15911acbf1b82b970a1d5a8647fe78a779df46c83bac2a471b7fbd512942aa841d680447e63af8a4db0735d3c9

    • SSDEEP

      768:tlqRZ9SFb+U89ORdtwDTUF59EWlOChlf9dTsL:tERZ9q1HtgQF59EWlOC7VlsL

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks