General
-
Target
Xworm-V5.6.7z
-
Size
18.5MB
-
Sample
240314-3z9ewsdb23
-
MD5
3b8cdead582e36eeb3b21522dcd6e0c4
-
SHA1
e0eb4e8716bc450d3676342fb1110cba54269230
-
SHA256
5173aa253b2d7a82d5ae086379ceb72530eb9ac0e2ec26ef05b173fbf2f7745c
-
SHA512
993f13ec38ad286b2bfe63717ce56e5887e4fd2c9524ac88c4d4b9c0ba5633002bab6f1f37df0f2568ab17d16e2473bd97a742edc6b38aa078bf2c3999a64162
-
SSDEEP
393216:uSRufEtT1Vnr2xa3FiPeRnwR1eTxuW7yrEQep/zzsr:uartfga1ibj+JyrPAs
Behavioral task
behavioral1
Sample
Xworm-V5.6.7z
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Xworm-V5.6.7z
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
Xworm-V5.6.7z
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Xworm-V5.6.7z
Resource
win11-20240221-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
K6ApJ9kePy3uingC
-
install_file
USB.exe
Targets
-
-
Target
Xworm-V5.6.7z
-
Size
18.5MB
-
MD5
3b8cdead582e36eeb3b21522dcd6e0c4
-
SHA1
e0eb4e8716bc450d3676342fb1110cba54269230
-
SHA256
5173aa253b2d7a82d5ae086379ceb72530eb9ac0e2ec26ef05b173fbf2f7745c
-
SHA512
993f13ec38ad286b2bfe63717ce56e5887e4fd2c9524ac88c4d4b9c0ba5633002bab6f1f37df0f2568ab17d16e2473bd97a742edc6b38aa078bf2c3999a64162
-
SSDEEP
393216:uSRufEtT1Vnr2xa3FiPeRnwR1eTxuW7yrEQep/zzsr:uartfga1ibj+JyrPAs
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty payload
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-