General
-
Target
1.exe
-
Size
53KB
-
Sample
240531-rs5mksbh85
-
MD5
42536e0f08c7d57461a28ae79861662b
-
SHA1
75dfb211dc14edf5c8509002d76feeb0cc70fa10
-
SHA256
4df13a3d7eb8be77ec0f83eed487dd17efc81b2a4684978f778e92f49106cec0
-
SHA512
26444daf18a083e555fea6d84a87bd761727b8c65f7a32a37141d7a74cb0780c4b073426503c7c6efb705196c461208bbae370db19332a495f8b3675aeb4d438
-
SSDEEP
1536:+mjG2KJi7zMibAyKOpfDjCgiszFB9xf7czU:+KKqdb59f6sZB957Z
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240220-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
1.exe
-
Size
53KB
-
MD5
42536e0f08c7d57461a28ae79861662b
-
SHA1
75dfb211dc14edf5c8509002d76feeb0cc70fa10
-
SHA256
4df13a3d7eb8be77ec0f83eed487dd17efc81b2a4684978f778e92f49106cec0
-
SHA512
26444daf18a083e555fea6d84a87bd761727b8c65f7a32a37141d7a74cb0780c4b073426503c7c6efb705196c461208bbae370db19332a495f8b3675aeb4d438
-
SSDEEP
1536:+mjG2KJi7zMibAyKOpfDjCgiszFB9xf7czU:+KKqdb59f6sZB957Z
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-