General
-
Target
d3c5e789d12756e34a5461e809640b52.bin
-
Size
15.2MB
-
Sample
240630-egtpqaxbnj
-
MD5
d3c5e789d12756e34a5461e809640b52
-
SHA1
d8b9710872f0c3ba3e75e3bcd56071625cf4592e
-
SHA256
b1c30897a9ce11448790b40a820dd26571c9815b277b229715fadf0199870ac2
-
SHA512
267624b56bb7901fa66d7f8cd9fb5e0602a9054649b15738f84eafd06b56997f552310228a01087e5558725b43c38af87e224570e0e3a4ec570d8f6e0159481e
-
SSDEEP
393216:AlAEncAYaYUCwkm0r0McGg9p+aBfdRG1itJLr:SnOUCwL/2mpLf/G1YLr
Static task
static1
Behavioral task
behavioral1
Sample
d3c5e789d12756e34a5461e809640b52.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d3c5e789d12756e34a5461e809640b52.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
5.0
5.tcp.eu.ngrok.io:14831
tGWGfcswkH2xASVw
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
d3c5e789d12756e34a5461e809640b52.bin
-
Size
15.2MB
-
MD5
d3c5e789d12756e34a5461e809640b52
-
SHA1
d8b9710872f0c3ba3e75e3bcd56071625cf4592e
-
SHA256
b1c30897a9ce11448790b40a820dd26571c9815b277b229715fadf0199870ac2
-
SHA512
267624b56bb7901fa66d7f8cd9fb5e0602a9054649b15738f84eafd06b56997f552310228a01087e5558725b43c38af87e224570e0e3a4ec570d8f6e0159481e
-
SSDEEP
393216:AlAEncAYaYUCwkm0r0McGg9p+aBfdRG1itJLr:SnOUCwL/2mpLf/G1YLr
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1