General
-
Target
download.jfif
-
Size
25KB
-
Sample
240615-wa3sgsygpc
-
MD5
892dcb5a22f25a21b8568329447a4bea
-
SHA1
5213d3b077d32423dd365dbb2f42903243f26695
-
SHA256
e006a4ca1f621eda8a0ef9b6ff69b5d436790796c9819f850380b1c534ccc500
-
SHA512
b17418896080fa878596d3944bd9086ca452a93e34252418c6bad094619f564ed4ec6fef0ed8a3871ff6805966d2e9078f7004591c3d0948a2f5093894850e10
-
SSDEEP
768:wP0RfgtWAhTLzGojLdoLEanQiAWJRMIWMBglPOnxM4:CtW6TGojLd1UWIWMOlPmW4
Malware Config
Extracted
xworm
news-accept.gl.at.ply.gg:24727
wiz.bounceme.net:6000
ew0h9RSfAfyU3YO4
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
download.jfif
-
Size
25KB
-
MD5
892dcb5a22f25a21b8568329447a4bea
-
SHA1
5213d3b077d32423dd365dbb2f42903243f26695
-
SHA256
e006a4ca1f621eda8a0ef9b6ff69b5d436790796c9819f850380b1c534ccc500
-
SHA512
b17418896080fa878596d3944bd9086ca452a93e34252418c6bad094619f564ed4ec6fef0ed8a3871ff6805966d2e9078f7004591c3d0948a2f5093894850e10
-
SSDEEP
768:wP0RfgtWAhTLzGojLdoLEanQiAWJRMIWMBglPOnxM4:CtW6TGojLd1UWIWMOlPmW4
Score10/10-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-