General
-
Target
Moon injector.zip
-
Size
144KB
-
Sample
240524-kfpl9sbc4z
-
MD5
ce77e911a5daeed85e29270a4ee2bc51
-
SHA1
d30f5fe4e4d3c7acc9b3a5540f4fd44983bc94d3
-
SHA256
c61fa2268af1a99cea40efc7d65dacb22e9f848ce1095f6b71ff177d5a428eca
-
SHA512
b201cfeda57934abf70e141db1bb8820d083c845ca0eb2e6484f3245f1227801daa853fd66cbce263799dfb6a39f3316a80b0b0d452e34f81b487927e9ab4771
-
SSDEEP
3072:Qt+rUKfEpEaDv5Z+iVbqc3eTSTPlkW6RYBnDspXsRXlfMlo0yk7c:Qt+rdEJv5Z+i8cOTU+W66B49sDMlj/7c
Malware Config
Extracted
xworm
5.0
83.143.112.35:7000
zXfBo4LwCYB4EEgV
-
Install_directory
%Temp%
-
install_file
Google chrome.exe
-
telegram
https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks
Targets
-
-
Target
Moon injector/Moon injector.bat
-
Size
195KB
-
MD5
6eabc08b51da854cc3ac85f85952a16a
-
SHA1
bd5e54e73a40d1330fc4e919adc2f081ece29d85
-
SHA256
9489825845b0248a40b35b24d6f80b79383a9edaf08e66e09d57c75f7fe56f1d
-
SHA512
816d4eb783e7b77e374d05a57b512f8945b1581ec2a9a363fcece0eb15ca12928a6c3a7eee8f0007c878a9a476309bba5e8806167bb025892173d6a49305347a
-
SSDEEP
3072:MIml5Q8bTXiMVfTOJS4b/ZxIEp4v4bSfo693+ag6qR97njpfV/c+Xp7JkRJf01M6:Nwf+nb/8EEq6I6kDlVq2MTK9SXn63
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1