General

  • Target

    XcHvYYrNa.exe

  • Size

    748KB

  • Sample

    240521-lnpsnsgg32

  • MD5

    bfc4d41e586c74ee484b3faa09bf687b

  • SHA1

    bb689c652f2c8be785c8a573a4497ab7912fcdbf

  • SHA256

    0fbaf06d72dc67cf331ffef548ea345f139409fd66dbaf6da3467b8ad2712785

  • SHA512

    a4ecaac361193345bb273cc3ff422b7558a8e1b384b2907457c662ff9d59afa222bd93afdb1e3ded5634ab3f174bba3759f389cd1c59db58f48e0290b9ff0874

  • SSDEEP

    12288:r/0J30oSnbdOhxk/Be4WCPryqtjKj/fjDoNNWyF8NAlJZsY385RMHbs3Gq6Kc62q:r/0J30bMk/MCP2qE/7kVVj8vM7sGpKXJ

Malware Config

Extracted

Family

xworm

C2

kc6fvwrif8.duckdns.org:1605

Attributes
  • Install_directory

    %AppData%

  • install_file

    msedge.exe

Targets

    • Target

      XcHvYYrNa.exe

    • Size

      748KB

    • MD5

      bfc4d41e586c74ee484b3faa09bf687b

    • SHA1

      bb689c652f2c8be785c8a573a4497ab7912fcdbf

    • SHA256

      0fbaf06d72dc67cf331ffef548ea345f139409fd66dbaf6da3467b8ad2712785

    • SHA512

      a4ecaac361193345bb273cc3ff422b7558a8e1b384b2907457c662ff9d59afa222bd93afdb1e3ded5634ab3f174bba3759f389cd1c59db58f48e0290b9ff0874

    • SSDEEP

      12288:r/0J30oSnbdOhxk/Be4WCPryqtjKj/fjDoNNWyF8NAlJZsY385RMHbs3Gq6Kc62q:r/0J30bMk/MCP2qE/7kVVj8vM7sGpKXJ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks