General
-
Target
Acordx.exe
-
Size
39KB
-
Sample
230325-ngsl4aef2x
-
MD5
d8eea36339d0a086726466a84da3f0af
-
SHA1
9142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
-
SHA256
66fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
-
SHA512
124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
SSDEEP
768:o1leL7KF2loeyNLRLGlw1FP19EnOphTu+vLe:6eKhegElWFt9EnOpNy
Malware Config
Extracted
xworm
soon-lp.at.ply.gg:17209
G7BSoodIKNHsk7C8
-
install_file
USB.exe
Targets
-
-
Target
Acordx.exe
-
Size
39KB
-
MD5
d8eea36339d0a086726466a84da3f0af
-
SHA1
9142f5dea09185b825dd1f49fedd4c1b2f9fb7ad
-
SHA256
66fef291c5314a7a20d2d8535ca351bcdd47bafb41136c8855f5ed460be856e1
-
SHA512
124690ddd7d8269d4d85bafb1249fa720230a44f4c3db49ebd3589e0ba2e109400ad344e31ecda6d2cefb38ef17be137b3e7b7ad617f1e762f4d41c2541bfb8b
-
SSDEEP
768:o1leL7KF2loeyNLRLGlw1FP19EnOphTu+vLe:6eKhegElWFt9EnOpNy
Score10/10-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-