General
-
Target
XnullClient.exe
-
Size
246KB
-
Sample
240314-xcq25sbh21
-
MD5
e75aa49c9c45f34d7adc06c26cb5713b
-
SHA1
26d70fa548bf244ef8f3918e8eac34270fc285b7
-
SHA256
7c0047ceec6b6dab29c0fe2774fcbe0e514f9349ce02cf900da72104490c60ac
-
SHA512
409893b10cb8fe16270f10f0c6d3ba22cd1660e5e7ceb2eb32b2b82a22c3dabf61d42ad1601c1976b7fd82de4e8ed4226fae20012a9290dcc37675c06868a0d7
-
SSDEEP
3072:OsirFsIbSyEzhnCeOA3Mlea8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NS:rVIboseaUhcX7elbKTua9bfF/H9d9n
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/LN6JZUsV
Targets
-
-
Target
XnullClient.exe
-
Size
246KB
-
MD5
e75aa49c9c45f34d7adc06c26cb5713b
-
SHA1
26d70fa548bf244ef8f3918e8eac34270fc285b7
-
SHA256
7c0047ceec6b6dab29c0fe2774fcbe0e514f9349ce02cf900da72104490c60ac
-
SHA512
409893b10cb8fe16270f10f0c6d3ba22cd1660e5e7ceb2eb32b2b82a22c3dabf61d42ad1601c1976b7fd82de4e8ed4226fae20012a9290dcc37675c06868a0d7
-
SSDEEP
3072:OsirFsIbSyEzhnCeOA3Mlea8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NS:rVIboseaUhcX7elbKTua9bfF/H9d9n
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-