General

  • Target

    проверка.exe

  • Size

    98KB

  • Sample

    240531-xlp67sad68

  • MD5

    69c00aa1f2cecc09093eec932c788209

  • SHA1

    2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c

  • SHA256

    c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

  • SHA512

    8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

  • SSDEEP

    3072:zjZtl/CL+bANzvyz3CwO/dF81W0cgteL:z9tl/CibuzXF8g0ct

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:65468

speed-wheat.gl.at.ply.gg:65468

XWorm V5.2:123

Attributes
  • Install_directory

    %AppData%

  • install_file

    Delta.exe

Targets

    • Target

      проверка.exe

    • Size

      98KB

    • MD5

      69c00aa1f2cecc09093eec932c788209

    • SHA1

      2bcdc2f36469087ec60acc0b6d3e47fde03d0f6c

    • SHA256

      c3873500c3bff4e73beacd24ce3005f0f5d5486d51b73cc7e0dc8b3bcbf902e2

    • SHA512

      8bc1e413998b4c6ff77798561097fbec6c5c52aec560a62c73025739157cf3dc4a06d3d645cc582eb88533166a2373f92dc3332084036966491b9934cc3ab214

    • SSDEEP

      3072:zjZtl/CL+bANzvyz3CwO/dF81W0cgteL:z9tl/CibuzXF8g0ct

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks