General

  • Target

    images (1).jpg

  • Size

    7KB

  • Sample

    240531-tgp4vsea72

  • MD5

    626ca4444b5467a6f7ef0c76390d8326

  • SHA1

    43b0765303adeaa4aca03dcb1ec7a935bc0b2cd3

  • SHA256

    0b43d56b3ff8343955f5a0148ae54326b6a7c9dd30d7846e2e2865d8a10c19a1

  • SHA512

    474c84ce79ae82a88b7947e266cf5e432ce05b747672fa9e165148a653a4eabf60f855ea30a28e31bb605f600644504ec955e0c3623f5ebc5b8ff89651518c76

  • SSDEEP

    192:KONUduNvPlpM48HIxsBhT2hNV7Y9Glo5WLxtLHpUPP0:/1S4xsBJ2970ILPHV

Malware Config

Extracted

Family

xworm

C2

20.ip.gl.ply.gg:4277

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    aimware_steam_module.exe

Targets

    • Target

      images (1).jpg

    • Size

      7KB

    • MD5

      626ca4444b5467a6f7ef0c76390d8326

    • SHA1

      43b0765303adeaa4aca03dcb1ec7a935bc0b2cd3

    • SHA256

      0b43d56b3ff8343955f5a0148ae54326b6a7c9dd30d7846e2e2865d8a10c19a1

    • SHA512

      474c84ce79ae82a88b7947e266cf5e432ce05b747672fa9e165148a653a4eabf60f855ea30a28e31bb605f600644504ec955e0c3623f5ebc5b8ff89651518c76

    • SSDEEP

      192:KONUduNvPlpM48HIxsBhT2hNV7Y9Glo5WLxtLHpUPP0:/1S4xsBJ2970ILPHV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks