General
-
Target
[re.exe
-
Size
192KB
-
Sample
240527-jstajsea32
-
MD5
16284b9b8751956638ee373798924b1a
-
SHA1
58ccb70a7319dfb593d1c22c2ea1af68706b037f
-
SHA256
f95f2f8419a6c3feabe49924c3d2f86c32508e3353f11261bd4407f4c4f62849
-
SHA512
2c0f5156da8fec0c991dea46adb9c4546a74534645848027233a2eb28085d11380e11c944e98822ef204cd2298e1c92df08cc1718e985014d373d428beae1245
-
SSDEEP
3072:U5gIq2VWvt1gb1FonCkkO4bvgO3Bz65/M6If+3Js+3JFkKeTn3:v2Abgb1OnCxBt25
Behavioral task
behavioral1
Sample
[re.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
[re.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
127.0.0.1:1682
147.185.221.17:1682
17.ip.gl.ply.gg:1682
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
[re.exe
-
Size
192KB
-
MD5
16284b9b8751956638ee373798924b1a
-
SHA1
58ccb70a7319dfb593d1c22c2ea1af68706b037f
-
SHA256
f95f2f8419a6c3feabe49924c3d2f86c32508e3353f11261bd4407f4c4f62849
-
SHA512
2c0f5156da8fec0c991dea46adb9c4546a74534645848027233a2eb28085d11380e11c944e98822ef204cd2298e1c92df08cc1718e985014d373d428beae1245
-
SSDEEP
3072:U5gIq2VWvt1gb1FonCkkO4bvgO3Bz65/M6If+3Js+3JFkKeTn3:v2Abgb1OnCxBt25
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-