General
-
Target
tjFUD.exe
-
Size
40KB
-
Sample
240428-f87lbshc8y
-
MD5
9126c26063b71116148ea1f40db8c941
-
SHA1
300cdd5589e1ce8642a328f5e80f4246e9d0b062
-
SHA256
28a9ed9884a7f52e49a8026b03b757422a7e3d3a594e6cb7a13946191650b78a
-
SHA512
afff315fdd006cbf2589845700f2433b57c6062497b4f1b59d4096bafe3acee6fca81e4a15f05443dd03f39362eabd0c03312dec6e0dc56d22cb7f9f65071a8f
-
SSDEEP
768:kKpxOlNtidwAmJRXFuO5tF5PT95lvOMh23Ep:k/MWAmJ1FuOLFx95ZOMoW
Malware Config
Extracted
xworm
5.0
127.0.0.1:12547
147.185.221.19:12547
bay-currencies.gl.at.ply.gg:12547
and-organized.gl.at.ply.gg:12547
T8blWdnjot1TC8dy
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Targets
-
-
Target
tjFUD.exe
-
Size
40KB
-
MD5
9126c26063b71116148ea1f40db8c941
-
SHA1
300cdd5589e1ce8642a328f5e80f4246e9d0b062
-
SHA256
28a9ed9884a7f52e49a8026b03b757422a7e3d3a594e6cb7a13946191650b78a
-
SHA512
afff315fdd006cbf2589845700f2433b57c6062497b4f1b59d4096bafe3acee6fca81e4a15f05443dd03f39362eabd0c03312dec6e0dc56d22cb7f9f65071a8f
-
SSDEEP
768:kKpxOlNtidwAmJRXFuO5tF5PT95lvOMh23Ep:k/MWAmJ1FuOLFx95ZOMoW
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-