General
-
Target
Downloader.exe
-
Size
172KB
-
Sample
240525-3wfy6sfg57
-
MD5
2abeee7f0df3dc607c1ae817874614e5
-
SHA1
ee42af4f64be2a57daa2ad5f52cef71fa71e752b
-
SHA256
f981bf8b20d2f02b6909889a59d13bb0bd47199d3c9cc8369252809792df5779
-
SHA512
f422ec1c5024049640f1c13630db790dc46644460beb7ee3155f6f18049258f24a0b80a8fbf39ef7a769b3e1a3206b830f833987363844150cd1d017f92d43c6
-
SSDEEP
3072:APbyugrI92T15YaobF1gGPOLu/SBz65/M6If+3Js+3JFkKeTnO:APgKA15YlbKqSxBt25
Behavioral task
behavioral1
Sample
Downloader.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
127.0.0.1:1337
104.28.229.13:1337
192.168.2.133:1337
-
Install_directory
%ProgramData%
-
install_file
SystemDefender.exe
-
telegram
https://api.telegram.org/bot6911706583:AAGIck5-GICDZLswgqJrJgL5L_TBxq7tj7Y/sendMessage?chat_id=6727135086
Targets
-
-
Target
Downloader.exe
-
Size
172KB
-
MD5
2abeee7f0df3dc607c1ae817874614e5
-
SHA1
ee42af4f64be2a57daa2ad5f52cef71fa71e752b
-
SHA256
f981bf8b20d2f02b6909889a59d13bb0bd47199d3c9cc8369252809792df5779
-
SHA512
f422ec1c5024049640f1c13630db790dc46644460beb7ee3155f6f18049258f24a0b80a8fbf39ef7a769b3e1a3206b830f833987363844150cd1d017f92d43c6
-
SSDEEP
3072:APbyugrI92T15YaobF1gGPOLu/SBz65/M6If+3Js+3JFkKeTnO:APgKA15YlbKqSxBt25
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-