General

  • Target

    1.rar

  • Size

    47KB

  • Sample

    240530-l2tzjsef94

  • MD5

    aafccc3858c70b647a94d73e54894ada

  • SHA1

    d361e0349d7f4df30a491edac9efafe00f2d5b2d

  • SHA256

    c289b644e32dac8b9ae76b02e01cd301a680bb3847ed60c396477d60ec861ac7

  • SHA512

    f8bbed233310113d97c5c65c3f95dc1407b1ff0b9f44ff1edf2c44021ad2b94d59634ceb0967d741a22c9186995fd172df065a396c7d5911fc3b441620a88cd6

  • SSDEEP

    768:1MplUyjrkUGOpAqbGLKXGSB4n2vRLsUihO+hJSjto6F6RFefOEPbyYFlnqQz5Ybe:XyEjOppi2ZLsUiw+owefZby4AQl7

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:18412

tcp://2.tcp.eu.ngrok.io:18412

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      sigmaclient.exe

    • Size

      79KB

    • MD5

      bc1bb66fe0c4f702412a40f322979865

    • SHA1

      d81994ae9ba9fdd5a6f8fade7770c5edd8b07d0b

    • SHA256

      6e79fd3cff160f9bc9bc21303fac8ff2dc77c5b203006484d929a187837ecd0d

    • SHA512

      d17d565407b3246d3e5be62d144807abf443969eece1783c736e8deac54dd65304f5122bdf9382b4a0b04fc3e49f3fd4971393d2ee251906f6b2f21148654651

    • SSDEEP

      1536:iH3GZW6IgCq/5SDusFUCXblclYnN6csdDZUcO1aTs6Gp:iXg6u3CXbla2ts77O1aTrGp

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks