General

  • Target

    [re.exe

  • Size

    192KB

  • Sample

    240527-jstajsea32

  • MD5

    16284b9b8751956638ee373798924b1a

  • SHA1

    58ccb70a7319dfb593d1c22c2ea1af68706b037f

  • SHA256

    f95f2f8419a6c3feabe49924c3d2f86c32508e3353f11261bd4407f4c4f62849

  • SHA512

    2c0f5156da8fec0c991dea46adb9c4546a74534645848027233a2eb28085d11380e11c944e98822ef204cd2298e1c92df08cc1718e985014d373d428beae1245

  • SSDEEP

    3072:U5gIq2VWvt1gb1FonCkkO4bvgO3Bz65/M6If+3Js+3JFkKeTn3:v2Abgb1OnCxBt25

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:1682

147.185.221.17:1682

17.ip.gl.ply.gg:1682

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      [re.exe

    • Size

      192KB

    • MD5

      16284b9b8751956638ee373798924b1a

    • SHA1

      58ccb70a7319dfb593d1c22c2ea1af68706b037f

    • SHA256

      f95f2f8419a6c3feabe49924c3d2f86c32508e3353f11261bd4407f4c4f62849

    • SHA512

      2c0f5156da8fec0c991dea46adb9c4546a74534645848027233a2eb28085d11380e11c944e98822ef204cd2298e1c92df08cc1718e985014d373d428beae1245

    • SSDEEP

      3072:U5gIq2VWvt1gb1FonCkkO4bvgO3Bz65/M6If+3Js+3JFkKeTn3:v2Abgb1OnCxBt25

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks