General
-
Target
4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe
-
Size
560KB
-
Sample
240522-r2nqeseg3v
-
MD5
4a5f7263d5e978024e4d3c7abed82307
-
SHA1
0a8f9bb8e9058beb4bd67ea08b8ef82bc90fcd8c
-
SHA256
4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf
-
SHA512
d843fe704beeb3b61916c789626bc908eed44455a34a86a65994db47c759311aef05c4f2d1530f2f073e99e6bdf3dc2b15944772fee7d161b492e70ba8a09c22
-
SSDEEP
12288:IzxKn6yWn7fcpVZlu/6uHqa9XnWsh9P5u7JwdprNLUgNYGutA:rn698VVYFlRu7J6ZUgNiA
Malware Config
Extracted
xworm
104.250.180.178:7061
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf.exe
-
Size
560KB
-
MD5
4a5f7263d5e978024e4d3c7abed82307
-
SHA1
0a8f9bb8e9058beb4bd67ea08b8ef82bc90fcd8c
-
SHA256
4fb48e8fd54c7dba1422489d3312e5c0bde0f8e4d375103c28160403624afabf
-
SHA512
d843fe704beeb3b61916c789626bc908eed44455a34a86a65994db47c759311aef05c4f2d1530f2f073e99e6bdf3dc2b15944772fee7d161b492e70ba8a09c22
-
SSDEEP
12288:IzxKn6yWn7fcpVZlu/6uHqa9XnWsh9P5u7JwdprNLUgNYGutA:rn698VVYFlRu7J6ZUgNiA
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-