General

  • Target

    2031gojosatoru.exe

  • Size

    79KB

  • Sample

    240530-mhwvgafb74

  • MD5

    f686daf477cd61c3eb72515148c22e05

  • SHA1

    a3689bf018dd135b924a4a98f82613ea2cc83b3a

  • SHA256

    552395ebc69975a174f299e3fac4909585eda51ed1554281165ba640f53f9679

  • SHA512

    cd6af2ebccfb7671965c255ad54f0e651c2c1f6ffb9ce832f39ac8998adb2bae42df6251730be2c884d75485890c30801d173675259e113b30c782ec7cccf153

  • SSDEEP

    1536:cqdGeH5wKOnDvi9r3JP7FiXqbU4s29iobdAJ6QOBWoFEBqPoUC:iP9D4317FkqbUzKdWOBWoF6Hj

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:45758

ads-enabled.gl.at.ply.gg:45758

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      2031gojosatoru.exe

    • Size

      79KB

    • MD5

      f686daf477cd61c3eb72515148c22e05

    • SHA1

      a3689bf018dd135b924a4a98f82613ea2cc83b3a

    • SHA256

      552395ebc69975a174f299e3fac4909585eda51ed1554281165ba640f53f9679

    • SHA512

      cd6af2ebccfb7671965c255ad54f0e651c2c1f6ffb9ce832f39ac8998adb2bae42df6251730be2c884d75485890c30801d173675259e113b30c782ec7cccf153

    • SSDEEP

      1536:cqdGeH5wKOnDvi9r3JP7FiXqbU4s29iobdAJ6QOBWoFEBqPoUC:iP9D4317FkqbUzKdWOBWoF6Hj

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks