General

  • Target

    be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e

  • Size

    38KB

  • Sample

    240530-magqksea31

  • MD5

    d77397ab46eb531732629de610dfd019

  • SHA1

    7807cda05e71b1dce105d80ec23e40d55077b4d1

  • SHA256

    be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e

  • SHA512

    f49a1c0a67bf194572c00a51b779364175c72a3d9fe419f599a6108224da266f7731c54feb985cee151a7df61c7fe4a6d2d23ddb9881b1f14c5c060d95b62eff

  • SSDEEP

    768:SFtVJhZprPHSECWbLG1KuuuEYEgefFWPC93IQuW6cOMhha9:SFthZpLb3O1KuuPhFJ93eW6cOMLM

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:4099

Mutex

WSW1mmn4FiepKDro

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e

    • Size

      38KB

    • MD5

      d77397ab46eb531732629de610dfd019

    • SHA1

      7807cda05e71b1dce105d80ec23e40d55077b4d1

    • SHA256

      be1243dcd5cd64592aeb2c04d1dcb1a76c101aade618dbf6c33f96704741451e

    • SHA512

      f49a1c0a67bf194572c00a51b779364175c72a3d9fe419f599a6108224da266f7731c54feb985cee151a7df61c7fe4a6d2d23ddb9881b1f14c5c060d95b62eff

    • SSDEEP

      768:SFtVJhZprPHSECWbLG1KuuuEYEgefFWPC93IQuW6cOMhha9:SFthZpLb3O1KuuPhFJ93eW6cOMLM

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

MITRE ATT&CK Enterprise v15

Tasks