General
-
Target
2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe
-
Size
1.4MB
-
Sample
240522-bmx3jsfh4s
-
MD5
e84bb6efc8e0ebec1826b770cfb59bd9
-
SHA1
5fe35e0b634a95fcff997882839004a225a29bf1
-
SHA256
2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b
-
SHA512
562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810
-
SSDEEP
24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT
Malware Config
Extracted
xworm
5.0
79.110.49.133:5700
Bg9JRZDpyEfXxrAy
-
install_file
USB.exe
Targets
-
-
Target
2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b.exe
-
Size
1.4MB
-
MD5
e84bb6efc8e0ebec1826b770cfb59bd9
-
SHA1
5fe35e0b634a95fcff997882839004a225a29bf1
-
SHA256
2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b
-
SHA512
562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810
-
SSDEEP
24576:uOnCbIk+tdLb0Tj3ndie/UV7EMhD6ZnlyBI0DJewitKUiVh8t6S9U8XxT9Q+FTtT:prUlH0UcBS9UutT
Score10/10-
Detect Xworm Payload
-
UAC bypass
-
Windows security bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables packed with or use KoiVM
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-