General
-
Target
file.exe
-
Size
78KB
-
Sample
230327-vx2m9see45
-
MD5
c6aba0d34122d527c292e82279ad34c6
-
SHA1
5c0840af784d6af1f474f66dd22adf9c1abd9f07
-
SHA256
a8b7a1b11e3590c2d4363e3ecec57a3d7ad4be0992193a039bb105b5fe9b6500
-
SHA512
cec9ff6ba671779d92e32428ba84bac4e068c99274d45c02ec94fc260575ceacb078820e516e247754bb3637b1d6ed78e8a624ea3969aa370b65a1965e1cd5a6
-
SSDEEP
1536:lAc2OsgQW/wGJQB/4hbatuV1gD7boqMN61PQu4IgkOk8K/RABoJTGsqZ2eY7hBlZ:lrW4wGJIQco4D7bodXlIgxVK/sQqPYdR
Malware Config
Extracted
xworm
soon-lp.at.ply.gg:17209
G7BSoodIKNHsk7C8
-
install_file
USB.exe
Targets
-
-
Target
file.exe
-
Size
78KB
-
MD5
c6aba0d34122d527c292e82279ad34c6
-
SHA1
5c0840af784d6af1f474f66dd22adf9c1abd9f07
-
SHA256
a8b7a1b11e3590c2d4363e3ecec57a3d7ad4be0992193a039bb105b5fe9b6500
-
SHA512
cec9ff6ba671779d92e32428ba84bac4e068c99274d45c02ec94fc260575ceacb078820e516e247754bb3637b1d6ed78e8a624ea3969aa370b65a1965e1cd5a6
-
SSDEEP
1536:lAc2OsgQW/wGJQB/4hbatuV1gD7boqMN61PQu4IgkOk8K/RABoJTGsqZ2eY7hBlZ:lrW4wGJIQco4D7bodXlIgxVK/sQqPYdR
Score10/10-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-