General

  • Target

    Steam Cracked Game.exe

  • Size

    342KB

  • Sample

    240609-yekhtaec2w

  • MD5

    e07737cf61bea17350b57d5e41ace509

  • SHA1

    df9a2deac733b5ca5877f9204b56e82538eec838

  • SHA256

    838dd21722f8cae52adcb57145a66e34a0607419a8d747442f1398eaf49e3613

  • SHA512

    45595657446545b0203c315199a78eeb25a33afded94d612b92bb18297553a568a7d7f66a7927cbcf781c70fc80df28ca6bcf1cc66c48243f50901edd7cfe33c

  • SSDEEP

    6144:Itq7bhrSSB+GIIIIIIIhIIIIIIIIIIIIIIIU:RRrq

Malware Config

Extracted

Family

xworm

C2

5.tcp.eu.ngrok.io:19862

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Targets

    • Target

      Steam Cracked Game.exe

    • Size

      342KB

    • MD5

      e07737cf61bea17350b57d5e41ace509

    • SHA1

      df9a2deac733b5ca5877f9204b56e82538eec838

    • SHA256

      838dd21722f8cae52adcb57145a66e34a0607419a8d747442f1398eaf49e3613

    • SHA512

      45595657446545b0203c315199a78eeb25a33afded94d612b92bb18297553a568a7d7f66a7927cbcf781c70fc80df28ca6bcf1cc66c48243f50901edd7cfe33c

    • SSDEEP

      6144:Itq7bhrSSB+GIIIIIIIhIIIIIIIIIIIIIIIU:RRrq

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks