General

  • Target

    1.exe

  • Size

    53KB

  • Sample

    240531-rs5mksbh85

  • MD5

    42536e0f08c7d57461a28ae79861662b

  • SHA1

    75dfb211dc14edf5c8509002d76feeb0cc70fa10

  • SHA256

    4df13a3d7eb8be77ec0f83eed487dd17efc81b2a4684978f778e92f49106cec0

  • SHA512

    26444daf18a083e555fea6d84a87bd761727b8c65f7a32a37141d7a74cb0780c4b073426503c7c6efb705196c461208bbae370db19332a495f8b3675aeb4d438

  • SSDEEP

    1536:+mjG2KJi7zMibAyKOpfDjCgiszFB9xf7czU:+KKqdb59f6sZB957Z

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      1.exe

    • Size

      53KB

    • MD5

      42536e0f08c7d57461a28ae79861662b

    • SHA1

      75dfb211dc14edf5c8509002d76feeb0cc70fa10

    • SHA256

      4df13a3d7eb8be77ec0f83eed487dd17efc81b2a4684978f778e92f49106cec0

    • SHA512

      26444daf18a083e555fea6d84a87bd761727b8c65f7a32a37141d7a74cb0780c4b073426503c7c6efb705196c461208bbae370db19332a495f8b3675aeb4d438

    • SSDEEP

      1536:+mjG2KJi7zMibAyKOpfDjCgiszFB9xf7czU:+KKqdb59f6sZB957Z

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks