General
-
Target
loaderv3.bat
-
Size
299KB
-
Sample
240603-3v33baee64
-
MD5
fb2b904352a2fe4334e6b6045a663992
-
SHA1
2280a895cc006b963487877007506ecab4c7b428
-
SHA256
d08c1ba2d83e5693c21caa7a7a5dc6677488e9cfc4d23c6a691cdeafb8eb1c18
-
SHA512
e257ab742643a76725beaa99732116beaef8d081cca669bac53cd7eb2ecbc0d1a3ec14d57741b213d422ab8b9ccd501cc6d53d82850f8b2af373fd7b7b77456b
-
SSDEEP
6144:WIHm4oKRCjxG7ttzSCO/vX0tv0ockdlWYrMU3yXtK/ZQRX0+S4:w4oKRC1GZt2CG1Xmn3vZQRXrf
Malware Config
Extracted
xworm
127.0.0.1:7489
related-star.gl.at.ply.gg:7489
-
Install_directory
%ProgramData%
-
install_file
steamwebhelper.exe
Targets
-
-
Target
loaderv3.bat
-
Size
299KB
-
MD5
fb2b904352a2fe4334e6b6045a663992
-
SHA1
2280a895cc006b963487877007506ecab4c7b428
-
SHA256
d08c1ba2d83e5693c21caa7a7a5dc6677488e9cfc4d23c6a691cdeafb8eb1c18
-
SHA512
e257ab742643a76725beaa99732116beaef8d081cca669bac53cd7eb2ecbc0d1a3ec14d57741b213d422ab8b9ccd501cc6d53d82850f8b2af373fd7b7b77456b
-
SSDEEP
6144:WIHm4oKRCjxG7ttzSCO/vX0tv0ockdlWYrMU3yXtK/ZQRX0+S4:w4oKRC1GZt2CG1Xmn3vZQRXrf
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-