General
-
Target
workpls.exe
-
Size
80KB
-
Sample
240614-glht5a1dqq
-
MD5
7c5b4c2fb85480f3b020cabc27349803
-
SHA1
b32c34e787dfc4caf435e136d24bf561568aaedb
-
SHA256
15b874bf48138911f8e51bcd50b8fbfbb92b2195e841e8f019ec0a4bf43d0b3c
-
SHA512
be8a1e88f5a9b3b022417aeecbe9a984f271434a64946ead097171311d66ae722be402f1f70d873c7db374ce32975a33edbd00d078c58c7dba0f294c958ed0b2
-
SSDEEP
1536:tsONV0sICTBhsZBjCDTVj+bE8v5Cq6+uz1d46aI498NOkYF1Z:ts32tOKl+bEf+cd0I3OkEX
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/YetBwjAF
Targets
-
-
Target
workpls.exe
-
Size
80KB
-
MD5
7c5b4c2fb85480f3b020cabc27349803
-
SHA1
b32c34e787dfc4caf435e136d24bf561568aaedb
-
SHA256
15b874bf48138911f8e51bcd50b8fbfbb92b2195e841e8f019ec0a4bf43d0b3c
-
SHA512
be8a1e88f5a9b3b022417aeecbe9a984f271434a64946ead097171311d66ae722be402f1f70d873c7db374ce32975a33edbd00d078c58c7dba0f294c958ed0b2
-
SSDEEP
1536:tsONV0sICTBhsZBjCDTVj+bE8v5Cq6+uz1d46aI498NOkYF1Z:ts32tOKl+bEf+cd0I3OkEX
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-