General
-
Target
1.rar
-
Size
47KB
-
Sample
240530-l2tzjsef94
-
MD5
aafccc3858c70b647a94d73e54894ada
-
SHA1
d361e0349d7f4df30a491edac9efafe00f2d5b2d
-
SHA256
c289b644e32dac8b9ae76b02e01cd301a680bb3847ed60c396477d60ec861ac7
-
SHA512
f8bbed233310113d97c5c65c3f95dc1407b1ff0b9f44ff1edf2c44021ad2b94d59634ceb0967d741a22c9186995fd172df065a396c7d5911fc3b441620a88cd6
-
SSDEEP
768:1MplUyjrkUGOpAqbGLKXGSB4n2vRLsUihO+hJSjto6F6RFefOEPbyYFlnqQz5Ybe:XyEjOppi2ZLsUiw+owefZby4AQl7
Malware Config
Extracted
xworm
127.0.0.1:18412
tcp://2.tcp.eu.ngrok.io:18412
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
sigmaclient.exe
-
Size
79KB
-
MD5
bc1bb66fe0c4f702412a40f322979865
-
SHA1
d81994ae9ba9fdd5a6f8fade7770c5edd8b07d0b
-
SHA256
6e79fd3cff160f9bc9bc21303fac8ff2dc77c5b203006484d929a187837ecd0d
-
SHA512
d17d565407b3246d3e5be62d144807abf443969eece1783c736e8deac54dd65304f5122bdf9382b4a0b04fc3e49f3fd4971393d2ee251906f6b2f21148654651
-
SSDEEP
1536:iH3GZW6IgCq/5SDusFUCXblclYnN6csdDZUcO1aTs6Gp:iXg6u3CXbla2ts77O1aTrGp
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-