General

  • Target

    230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104

  • Size

    312KB

  • Sample

    240530-yh35bsab59

  • MD5

    7f4b154ca427e8cff171bd023a7d09e6

  • SHA1

    fa824a5a8d8584c0a6be92c98836108740524efd

  • SHA256

    230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104

  • SHA512

    dea9097c684e88d8db8fc77b281a9342a0f3ceb715a80d7330c4f0acc2e89af0165642c323f0e1c58c8cd85d9267dc2c21a9244f7156aef22c0248730e3e53da

  • SSDEEP

    3072:tBlz82ZP3RIEHi6py3EbCL1OLxJgwUKF77gkG3y2qIO2FIQg:t6ECgXb3KHkFpV

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    Zoom.exe

  • pastebin_url

    https://pastebin.com/raw/13z7YSFZ

  • telegram

    https://api.telegram.org/bot7092403408:AAG_wO0B4Tz0Wtc7NXAuro3_Zyy4gC44z78

Targets

    • Target

      230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104

    • Size

      312KB

    • MD5

      7f4b154ca427e8cff171bd023a7d09e6

    • SHA1

      fa824a5a8d8584c0a6be92c98836108740524efd

    • SHA256

      230fdd9370979f79b1c67b552c2d4b32d1f6c0afb1a29db588c7227d16f2a104

    • SHA512

      dea9097c684e88d8db8fc77b281a9342a0f3ceb715a80d7330c4f0acc2e89af0165642c323f0e1c58c8cd85d9267dc2c21a9244f7156aef22c0248730e3e53da

    • SSDEEP

      3072:tBlz82ZP3RIEHi6py3EbCL1OLxJgwUKF77gkG3y2qIO2FIQg:t6ECgXb3KHkFpV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Detects Windows executables referencing non-Windows User-Agents

    • Detects executables using Telegram Chat Bot

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks