General
-
Target
multi_tools_v5.bat
-
Size
162KB
-
Sample
240526-bsehdsad64
-
MD5
b9c78fdb54ac4c0edfc496d0787ded87
-
SHA1
0345a979b612554c95efba49c51751d45a2b4065
-
SHA256
600d8b10815dc68ec508f75fa7b72eea73bfa63719530281bb25cee3af5555a1
-
SHA512
0cfa3e24731c31b59c2c1211ef0a827dea37ef4f5225a8d2747b1b89a8bfb8a4d963a92ab656ed2d8b87693409ec7d74dd723cfa83fea84af1d894fbcd4dc3e6
-
SSDEEP
3072:pGGDOEkb+1yd+/xwr5Txg1uf6tEP2PZPv35iGIKMJdaz92bcz:pGGiEa+YdH5i1ufupZ33EGIKMAkbcz
Static task
static1
Behavioral task
behavioral1
Sample
multi_tools_v5.bat
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
multi_tools_v5.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
5.0
Thecoolboi991-51392.portmap.io:8080
p5890lIR4RrQyjsq
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
multi_tools_v5.bat
-
Size
162KB
-
MD5
b9c78fdb54ac4c0edfc496d0787ded87
-
SHA1
0345a979b612554c95efba49c51751d45a2b4065
-
SHA256
600d8b10815dc68ec508f75fa7b72eea73bfa63719530281bb25cee3af5555a1
-
SHA512
0cfa3e24731c31b59c2c1211ef0a827dea37ef4f5225a8d2747b1b89a8bfb8a4d963a92ab656ed2d8b87693409ec7d74dd723cfa83fea84af1d894fbcd4dc3e6
-
SSDEEP
3072:pGGDOEkb+1yd+/xwr5Txg1uf6tEP2PZPv35iGIKMJdaz92bcz:pGGiEa+YdH5i1ufupZ33EGIKMAkbcz
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-