General
-
Target
linku.zip
-
Size
170B
-
Sample
240609-vlkwdadd67
-
MD5
49f7d71f60fd2147e145228450f7e25e
-
SHA1
240b28d5738e9a44ccf979dba8d2c4fe136b7121
-
SHA256
7e73d4e689a445c5848491b66cfd5a057c8c2017b7fd9d8b946b87c717cb172a
-
SHA512
04ea58ff6e534ed4412eb77b98726c2a026bac0115962a41c556309f82c9ea14e18e46abbd3f31b706b0bf88fa935bcc089370795c3ce6354321aeaaafffe12a
Malware Config
Extracted
xworm
127.0.0.1:15871
moving-agenda.gl.at.ply.gg:15871
-
Install_directory
%ProgramData%
-
install_file
conhost.exe
Targets
-
-
Target
linku.zip
-
Size
170B
-
MD5
49f7d71f60fd2147e145228450f7e25e
-
SHA1
240b28d5738e9a44ccf979dba8d2c4fe136b7121
-
SHA256
7e73d4e689a445c5848491b66cfd5a057c8c2017b7fd9d8b946b87c717cb172a
-
SHA512
04ea58ff6e534ed4412eb77b98726c2a026bac0115962a41c556309f82c9ea14e18e46abbd3f31b706b0bf88fa935bcc089370795c3ce6354321aeaaafffe12a
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-