General
-
Target
nigga.exe
-
Size
41KB
-
Sample
240428-gbv2pshb96
-
MD5
2050f7f1b36613662a5b4bf5756589f4
-
SHA1
5203b9e7928342b7c40ab9865b9701effcd818c1
-
SHA256
9e776e42d46f0ea879002d936b62f7494e1d770c72238d739e9c2683d88745e0
-
SHA512
25ada35957fed8f825350fe711ad98de669ce551a449a9b3ee94c43bdf07f8895d82ca2e652ba72e9e6685e3eb035e4ba3622c55bd08aabb08cf02d91fd5cbbe
-
SSDEEP
768:9TFHrDMQVZYwCxsAuwKFjHKShtF5PG9+bOwhO3EuXA:DwQEdOAulzKSTFI9+bOwgFXA
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
YfT9WSgF2TVkrY89
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Targets
-
-
Target
nigga.exe
-
Size
41KB
-
MD5
2050f7f1b36613662a5b4bf5756589f4
-
SHA1
5203b9e7928342b7c40ab9865b9701effcd818c1
-
SHA256
9e776e42d46f0ea879002d936b62f7494e1d770c72238d739e9c2683d88745e0
-
SHA512
25ada35957fed8f825350fe711ad98de669ce551a449a9b3ee94c43bdf07f8895d82ca2e652ba72e9e6685e3eb035e4ba3622c55bd08aabb08cf02d91fd5cbbe
-
SSDEEP
768:9TFHrDMQVZYwCxsAuwKFjHKShtF5PG9+bOwhO3EuXA:DwQEdOAulzKSTFI9+bOwgFXA
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-