General
-
Target
Laby Mod 4.exe
-
Size
183KB
-
Sample
240615-w8bfwsvbmk
-
MD5
78880dead064af782c3e4aba5d0ee3ee
-
SHA1
5eb9f0814ebde2a21f8c71174d4413b30402da22
-
SHA256
80d7887a8295b989709e549a25e608175c040ccf44021202c3d4c6a5957178a1
-
SHA512
a982d96ad8f17023aa039c1780fcc831ee21e59873799d99b552a20d021fcadcdfc59a1479b9fed65268ba21b74c26f10a420130b4a08051fdff23901182f0e9
-
SSDEEP
1536:YtS7gCJKoHg0zy3JHYTrX+bNbBeYuY1v6omOWCHtf5tUvzIJDig7RKNgsaudEw3f:DDg0zw5Y2bN9uYAOH15tG8ZOewvNIW
Malware Config
Extracted
xworm
restaurant-equation.gl.at.ply.gg:23887
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Laby Mod 4.exe
-
Size
183KB
-
MD5
78880dead064af782c3e4aba5d0ee3ee
-
SHA1
5eb9f0814ebde2a21f8c71174d4413b30402da22
-
SHA256
80d7887a8295b989709e549a25e608175c040ccf44021202c3d4c6a5957178a1
-
SHA512
a982d96ad8f17023aa039c1780fcc831ee21e59873799d99b552a20d021fcadcdfc59a1479b9fed65268ba21b74c26f10a420130b4a08051fdff23901182f0e9
-
SSDEEP
1536:YtS7gCJKoHg0zy3JHYTrX+bNbBeYuY1v6omOWCHtf5tUvzIJDig7RKNgsaudEw3f:DDg0zw5Y2bN9uYAOH15tG8ZOewvNIW
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-