General
-
Target
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104
-
Size
312KB
-
Sample
240530-yh35bsab59
-
MD5
7f4b154ca427e8cff171bd023a7d09e6
-
SHA1
fa824a5a8d8584c0a6be92c98836108740524efd
-
SHA256
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104
-
SHA512
dea9097c684e88d8db8fc77b281a9342a0f3ceb715a80d7330c4f0acc2e89af0165642c323f0e1c58c8cd85d9267dc2c21a9244f7156aef22c0248730e3e53da
-
SSDEEP
3072:tBlz82ZP3RIEHi6py3EbCL1OLxJgwUKF77gkG3y2qIO2FIQg:t6ECgXb3KHkFpV
Behavioral task
behavioral1
Sample
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Zoom.exe
-
pastebin_url
https://pastebin.com/raw/13z7YSFZ
-
telegram
https://api.telegram.org/bot7092403408:AAG_wO0B4Tz0Wtc7NXAuro3_Zyy4gC44z78
Targets
-
-
Target
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104
-
Size
312KB
-
MD5
7f4b154ca427e8cff171bd023a7d09e6
-
SHA1
fa824a5a8d8584c0a6be92c98836108740524efd
-
SHA256
230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104
-
SHA512
dea9097c684e88d8db8fc77b281a9342a0f3ceb715a80d7330c4f0acc2e89af0165642c323f0e1c58c8cd85d9267dc2c21a9244f7156aef22c0248730e3e53da
-
SSDEEP
3072:tBlz82ZP3RIEHi6py3EbCL1OLxJgwUKF77gkG3y2qIO2FIQg:t6ECgXb3KHkFpV
Score10/10-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables using Telegram Chat Bot
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-