General
-
Target
d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe
-
Size
1.0MB
-
Sample
240522-vtepbsac4y
-
MD5
a17247378506d83bb0d37b5c1a0f654d
-
SHA1
5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d
-
SHA256
d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae
-
SHA512
21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275
-
SSDEEP
24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP
Malware Config
Extracted
xworm
5.0
79.110.49.133:5700
Bg9JRZDpyEfXxrAy
-
install_file
USB.exe
Targets
-
-
Target
d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae.exe
-
Size
1.0MB
-
MD5
a17247378506d83bb0d37b5c1a0f654d
-
SHA1
5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d
-
SHA256
d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae
-
SHA512
21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275
-
SSDEEP
24576:42kQjNXFD9wX+3zH6s5K4Z3L+M8ucAv23vUPqPmP:XOOmM3L+Ruc9CP
Score10/10-
Detect Xworm Payload
-
UAC bypass
-
Windows security bypass
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-