General

  • Target

    multi_tools_v5.bat

  • Size

    162KB

  • Sample

    240526-bsehdsad64

  • MD5

    b9c78fdb54ac4c0edfc496d0787ded87

  • SHA1

    0345a979b612554c95efba49c51751d45a2b4065

  • SHA256

    600d8b10815dc68ec508f75fa7b72eea73bfa63719530281bb25cee3af5555a1

  • SHA512

    0cfa3e24731c31b59c2c1211ef0a827dea37ef4f5225a8d2747b1b89a8bfb8a4d963a92ab656ed2d8b87693409ec7d74dd723cfa83fea84af1d894fbcd4dc3e6

  • SSDEEP

    3072:pGGDOEkb+1yd+/xwr5Txg1uf6tEP2PZPv35iGIKMJdaz92bcz:pGGiEa+YdH5i1ufupZ33EGIKMAkbcz

Malware Config

Extracted

Family

xworm

Version

5.0

C2

Thecoolboi991-51392.portmap.io:8080

Mutex

p5890lIR4RrQyjsq

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      multi_tools_v5.bat

    • Size

      162KB

    • MD5

      b9c78fdb54ac4c0edfc496d0787ded87

    • SHA1

      0345a979b612554c95efba49c51751d45a2b4065

    • SHA256

      600d8b10815dc68ec508f75fa7b72eea73bfa63719530281bb25cee3af5555a1

    • SHA512

      0cfa3e24731c31b59c2c1211ef0a827dea37ef4f5225a8d2747b1b89a8bfb8a4d963a92ab656ed2d8b87693409ec7d74dd723cfa83fea84af1d894fbcd4dc3e6

    • SSDEEP

      3072:pGGDOEkb+1yd+/xwr5Txg1uf6tEP2PZPv35iGIKMJdaz92bcz:pGGiEa+YdH5i1ufupZ33EGIKMAkbcz

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks