Resubmissions
01/06/2024, 13:19
240601-qkj58sdc4w 10General
-
Target
Loaderv1.bat
-
Size
287KB
-
Sample
240601-qkj58sdc4w
-
MD5
9becc53510e45ce1b95b220e19043830
-
SHA1
ad4235a6e3c233e03163e7b4af7be64f4dd37e6e
-
SHA256
b2fa653ad9ccf9b61a1bf34a11a6f2ecaebc59e1e6efcccc5ffb0628b7472374
-
SHA512
ddae4aac9040ce0a145fd6b26f2996265af4c53db9bc8a562e7f21c33ad1ba43864b438566161f8dc771d9e5ca3df8ef597fd405b371605e29c66669c2a5e4e1
-
SSDEEP
6144:tNKne6api98v5J5VTnn0FV/Q4snog1XntS3zozE0nyXMMGe/bG:tNKnWpi945J59mVNAoDDQe1i
Malware Config
Extracted
xworm
continue-silk.gl.at.ply.gg:58347
127.0.0.1:58347
-
Install_directory
%Temp%
-
install_file
steamwebhelper.exe
Targets
-
-
Target
Loaderv1.bat
-
Size
287KB
-
MD5
9becc53510e45ce1b95b220e19043830
-
SHA1
ad4235a6e3c233e03163e7b4af7be64f4dd37e6e
-
SHA256
b2fa653ad9ccf9b61a1bf34a11a6f2ecaebc59e1e6efcccc5ffb0628b7472374
-
SHA512
ddae4aac9040ce0a145fd6b26f2996265af4c53db9bc8a562e7f21c33ad1ba43864b438566161f8dc771d9e5ca3df8ef597fd405b371605e29c66669c2a5e4e1
-
SSDEEP
6144:tNKne6api98v5J5VTnn0FV/Q4snog1XntS3zozE0nyXMMGe/bG:tNKnWpi945J59mVNAoDDQe1i
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-