General
-
Target
XWorm.exe
-
Size
201KB
-
Sample
240525-lgrzfscf3z
-
MD5
acf8853358a7aa1b667fea958b893a5d
-
SHA1
bb13587ce9f55a75765fe12994debb6e07a5810a
-
SHA256
349b3468ba55fa9b2d4e800323a28b7b388663cf54ab35e688ae67a9819e02b6
-
SHA512
cb8a46077594042ba43d85acef88d6e0a6c9e9f2c7e9c6c185ecd5d1c36a5f71c75759dbbbda4f3b47f80131f48b3cba808d487b11a2eaceecbdf9c19afe2c84
-
SSDEEP
3072:fNE2oXkEPibC1/EaOTPTVdwtA2ewhLapuvpAsZOyMqmyBeYVYv:fjEPib4cYP/GWGwqqm1
Behavioral task
behavioral1
Sample
XWorm.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XWorm.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
127.0.0.1:37915
5.39.43.50:37915
de-engines.gl.at.ply.gg:37915
these-accommodation.gl.at.ply.gg:37915
-
Install_directory
%AppData%
-
install_file
dllhost.exe
Targets
-
-
Target
XWorm.exe
-
Size
201KB
-
MD5
acf8853358a7aa1b667fea958b893a5d
-
SHA1
bb13587ce9f55a75765fe12994debb6e07a5810a
-
SHA256
349b3468ba55fa9b2d4e800323a28b7b388663cf54ab35e688ae67a9819e02b6
-
SHA512
cb8a46077594042ba43d85acef88d6e0a6c9e9f2c7e9c6c185ecd5d1c36a5f71c75759dbbbda4f3b47f80131f48b3cba808d487b11a2eaceecbdf9c19afe2c84
-
SSDEEP
3072:fNE2oXkEPibC1/EaOTPTVdwtA2ewhLapuvpAsZOyMqmyBeYVYv:fjEPib4cYP/GWGwqqm1
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-