General
-
Target
B1OdUv8CBH.exe
-
Size
18.8MB
-
Sample
240521-xgl9raeg8v
-
MD5
c5df5afb4679cbea28de24ff9ed306a2
-
SHA1
fe968a913c1377f0e85cc4c95afa3129a2f9ae22
-
SHA256
a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478
-
SHA512
a4ddb32c744da55829823feb140c2c48612d442459ec76daf7ec0459327e8422222a380c53802c15b298cf122f1f86fe2891b2bf04732ef764d62fb182cd7e70
-
SSDEEP
196608:EXi2sOT7HnJ+7CBgHcyCkaIH2kkoyhr5QXNDe6JaCPU8rblcRHrdcKZ5CRO2HACB:ci07we4+TB6zxJcRBdCrHxwwR
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/a1kmrNub
Targets
-
-
Target
B1OdUv8CBH.exe
-
Size
18.8MB
-
MD5
c5df5afb4679cbea28de24ff9ed306a2
-
SHA1
fe968a913c1377f0e85cc4c95afa3129a2f9ae22
-
SHA256
a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478
-
SHA512
a4ddb32c744da55829823feb140c2c48612d442459ec76daf7ec0459327e8422222a380c53802c15b298cf122f1f86fe2891b2bf04732ef764d62fb182cd7e70
-
SSDEEP
196608:EXi2sOT7HnJ+7CBgHcyCkaIH2kkoyhr5QXNDe6JaCPU8rblcRHrdcKZ5CRO2HACB:ci07we4+TB6zxJcRBdCrHxwwR
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-