General
-
Target
LSD.zip
-
Size
143KB
-
Sample
240402-a5fesacb83
-
MD5
32529b840edfae5391754cc4bb072ee7
-
SHA1
6dab2051d90fe6b1dacc9eff62cdc7a0b84c1ec5
-
SHA256
c56bf7def89f84021fef68e6f982d4353509948cbf64b4ed6e562913e74824d3
-
SHA512
610f91f589a2b63a488ce4d75432346062b69677355bb1f4d04b2d53fe1865d123eeca53477e20bb8712e1014a3601d8c00dd87e2fe1226a5872856fd301416c
-
SSDEEP
3072:CcfoE1BMBy2RzDN5/pNnBFS2X+kR+d7Emic8j6+mU56xtVQwBc13TWYb9fVUaGDY:uaDuqJMfc3VSgE29xxspm0n1vuz3NF9+
Malware Config
Extracted
xworm
5.0
7.tcp.ngrok.io:22206
gZUzvp6k0Vw7befo
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6356371662:AAF4_y4uR4P5salxGzkxmxDwHJPbGvs4F18
Extracted
discordrat
-
discord_token
MTIxNTkxNDE2OTQzNDY0MDQ4NA.GHG2tI.FdChr7ncxdWTRNVDebgqvEe-YEBQ0w9irxSTnI
-
server_id
1215913648778903614
Targets
-
-
Target
LSD.zip
-
Size
143KB
-
MD5
32529b840edfae5391754cc4bb072ee7
-
SHA1
6dab2051d90fe6b1dacc9eff62cdc7a0b84c1ec5
-
SHA256
c56bf7def89f84021fef68e6f982d4353509948cbf64b4ed6e562913e74824d3
-
SHA512
610f91f589a2b63a488ce4d75432346062b69677355bb1f4d04b2d53fe1865d123eeca53477e20bb8712e1014a3601d8c00dd87e2fe1226a5872856fd301416c
-
SSDEEP
3072:CcfoE1BMBy2RzDN5/pNnBFS2X+kR+d7Emic8j6+mU56xtVQwBc13TWYb9fVUaGDY:uaDuqJMfc3VSgE29xxspm0n1vuz3NF9+
Score10/10-
Detect Xworm Payload
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-