General
-
Target
f17a7d53495cc248d74118fc78cf7e50_NeikiAnalytics.exe
-
Size
214KB
-
Sample
240523-ldmkkabh6t
-
MD5
f17a7d53495cc248d74118fc78cf7e50
-
SHA1
08aab69cc6be1c2334f128f8457c16273dba811a
-
SHA256
816118f64a074acf4bf30affa2a3b65464841eac913f337ba04f4c44c0a85844
-
SHA512
0f151f803b4d061c2aac04b5d77213ba238b125cddeca7fad4ab01b2101bc3cecdfb9cc7d59e966a414ca2a8e45faea432ed723974ba67f6d0f16371e96e2e6d
-
SSDEEP
3072:FvexMjx2K7cWd62A7J7f+MDaiQ+XGv0j/U9ugZuNS0ZAdGY:Fvvjh6JKMDaiQ+H/AE4dp
Malware Config
Extracted
xworm
omglunie.hopto.org:6969
-
Install_directory
%LocalAppData%
-
install_file
chrome.exe
-
telegram
https://api.telegram.org/bot7108078952:AAGx4dmK8gwBS0YEMlWvpSNNaz2ShaJQbqE
Targets
-
-
Target
f17a7d53495cc248d74118fc78cf7e50_NeikiAnalytics.exe
-
Size
214KB
-
MD5
f17a7d53495cc248d74118fc78cf7e50
-
SHA1
08aab69cc6be1c2334f128f8457c16273dba811a
-
SHA256
816118f64a074acf4bf30affa2a3b65464841eac913f337ba04f4c44c0a85844
-
SHA512
0f151f803b4d061c2aac04b5d77213ba238b125cddeca7fad4ab01b2101bc3cecdfb9cc7d59e966a414ca2a8e45faea432ed723974ba67f6d0f16371e96e2e6d
-
SSDEEP
3072:FvexMjx2K7cWd62A7J7f+MDaiQ+XGv0j/U9ugZuNS0ZAdGY:Fvvjh6JKMDaiQ+H/AE4dp
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-