Resubmissions

25-05-2024 23:52

240525-3wsmzafa71 10

25-05-2024 23:51

240525-3wfy6sfg57 10

General

  • Target

    Downloader.exe

  • Size

    172KB

  • Sample

    240525-3wsmzafa71

  • MD5

    2abeee7f0df3dc607c1ae817874614e5

  • SHA1

    ee42af4f64be2a57daa2ad5f52cef71fa71e752b

  • SHA256

    f981bf8b20d2f02b6909889a59d13bb0bd47199d3c9cc8369252809792df5779

  • SHA512

    f422ec1c5024049640f1c13630db790dc46644460beb7ee3155f6f18049258f24a0b80a8fbf39ef7a769b3e1a3206b830f833987363844150cd1d017f92d43c6

  • SSDEEP

    3072:APbyugrI92T15YaobF1gGPOLu/SBz65/M6If+3Js+3JFkKeTnO:APgKA15YlbKqSxBt25

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1337

104.28.229.13:1337

192.168.2.133:1337

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    SystemDefender.exe

  • telegram

    https://api.telegram.org/bot6911706583:AAGIck5-GICDZLswgqJrJgL5L_TBxq7tj7Y/sendMessage?chat_id=6727135086

Targets

    • Target

      Downloader.exe

    • Size

      172KB

    • MD5

      2abeee7f0df3dc607c1ae817874614e5

    • SHA1

      ee42af4f64be2a57daa2ad5f52cef71fa71e752b

    • SHA256

      f981bf8b20d2f02b6909889a59d13bb0bd47199d3c9cc8369252809792df5779

    • SHA512

      f422ec1c5024049640f1c13630db790dc46644460beb7ee3155f6f18049258f24a0b80a8fbf39ef7a769b3e1a3206b830f833987363844150cd1d017f92d43c6

    • SSDEEP

      3072:APbyugrI92T15YaobF1gGPOLu/SBz65/M6If+3Js+3JFkKeTnO:APgKA15YlbKqSxBt25

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks