General
-
Target
69b4f3e7db53a18e1352367ecbf25dba0b86e96af655e6127db1b1205a181f63
-
Size
40KB
-
Sample
240523-tgb71agf34
-
MD5
e5cb8c66cab6a972529a85480b9881bc
-
SHA1
58eb0e24f0eb4865838d307df886d2b40bfb77cd
-
SHA256
69b4f3e7db53a18e1352367ecbf25dba0b86e96af655e6127db1b1205a181f63
-
SHA512
6c049e084e00eea72b3b78480fb79879c8c961d188178b3c59211bbc69ab25deaf88453dc1f4ec23c08ee80e452a453464780193e849121f2f625f96f0dd26f3
-
SSDEEP
768:uNfPMSk3K/EzTb/0x8WuFZ4lJF5PC9O9EB68OMh63/aO:uf05a/CTjM89UFc9UEB68OMsx
Malware Config
Extracted
xworm
5.0
45.141.26.119:1996
wHK5NlknpAL3Lk1X
-
Install_directory
%AppData%
-
install_file
csrss.exe
Targets
-
-
Target
69b4f3e7db53a18e1352367ecbf25dba0b86e96af655e6127db1b1205a181f63
-
Size
40KB
-
MD5
e5cb8c66cab6a972529a85480b9881bc
-
SHA1
58eb0e24f0eb4865838d307df886d2b40bfb77cd
-
SHA256
69b4f3e7db53a18e1352367ecbf25dba0b86e96af655e6127db1b1205a181f63
-
SHA512
6c049e084e00eea72b3b78480fb79879c8c961d188178b3c59211bbc69ab25deaf88453dc1f4ec23c08ee80e452a453464780193e849121f2f625f96f0dd26f3
-
SSDEEP
768:uNfPMSk3K/EzTb/0x8WuFZ4lJF5PC9O9EB68OMh63/aO:uf05a/CTjM89UFc9UEB68OMsx
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-