General

  • Target

    Steam.exe

  • Size

    438KB

  • Sample

    240527-j57cyadd7s

  • MD5

    4b784bf857356251bccf184911e0e8d8

  • SHA1

    5ef9015b62a62f4b2bff9a34fb5f3d1639a29937

  • SHA256

    3c786fd8f95d6787bf27728c6aa5d58054c6e923445147229f95de18ac4bbacd

  • SHA512

    73d2b89b3f9b83c18cc3fd270ef26a288625fc339acc29b0e806b57c185313bb7bfc084cddd8cb95449034bef8ac60481c6b150469eaf4ae2c09a1e9efa5f2da

  • SSDEEP

    6144:YfjoMm6fbwY/D8TWrbTP/8+GIIIIIIIhIIIIIIIIIIIIIIIU:sfLheWzPX

Malware Config

Targets

    • Target

      Steam.exe

    • Size

      438KB

    • MD5

      4b784bf857356251bccf184911e0e8d8

    • SHA1

      5ef9015b62a62f4b2bff9a34fb5f3d1639a29937

    • SHA256

      3c786fd8f95d6787bf27728c6aa5d58054c6e923445147229f95de18ac4bbacd

    • SHA512

      73d2b89b3f9b83c18cc3fd270ef26a288625fc339acc29b0e806b57c185313bb7bfc084cddd8cb95449034bef8ac60481c6b150469eaf4ae2c09a1e9efa5f2da

    • SSDEEP

      6144:YfjoMm6fbwY/D8TWrbTP/8+GIIIIIIIhIIIIIIIIIIIIIIIU:sfLheWzPX

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks