General

  • Target

    https://gofile.io/d/erWKY2

  • Sample

    240526-2cb1fafc36

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/e1v1/W/releases/download/W/Microsoft.exe

Extracted

Family

xworm

Version

5.0

C2

authority-amazon.gl.at.ply.gg:41414

Mutex

W9azsvu0nfaQ3oLs

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7023329957:AAGrtMc9nGwwFPrmf42kuarr0d-0Wv_gTls/sendMessage?chat_id=6496715252

aes.plain

Targets

    • Target

      https://gofile.io/d/erWKY2

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks