General
-
Target
OverwolfXclient.exe
-
Size
1.2MB
-
Sample
240524-xnla2afe51
-
MD5
c08106fd9c5999388d5e541743d45d5b
-
SHA1
571f4333cd757db2870e2459724b545e43ffcc11
-
SHA256
8d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
-
SHA512
65c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
-
SSDEEP
24576:908rin0gKu22AcpyGCcCBSrikukOqk344WIGu31rg:908rin0gKu22AcpyGC9kTOK4WIGWg
Static task
static1
Behavioral task
behavioral1
Sample
OverwolfXclient.exe
Resource
win7-20240215-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
5N4ZirqATbPp1e8c
-
Install_directory
%ProgramData%
-
install_file
WinBackup.exe
Targets
-
-
Target
OverwolfXclient.exe
-
Size
1.2MB
-
MD5
c08106fd9c5999388d5e541743d45d5b
-
SHA1
571f4333cd757db2870e2459724b545e43ffcc11
-
SHA256
8d4e23ba1ce9eab2340bad5e14111dc565bbe8de53653375ac3806f448dcc0ac
-
SHA512
65c2e544e88b63e8d1216731be75f0407784d620af1b2dfa649eb87e9e6408ffa43a3697a94c8d4cf6cc9f8dfc83a0a824397ac75bbdde9fe3440802117e8261
-
SSDEEP
24576:908rin0gKu22AcpyGCcCBSrikukOqk344WIGu31rg:908rin0gKu22AcpyGC9kTOK4WIGWg
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-