General

  • Target

    2a5b5dd73935856b654f9dc258ee03a8fe49bb00e031853531d17d8eea611739_NeikiAnalytics.exe

  • Size

    348KB

  • Sample

    240621-b1sd8avdrd

  • MD5

    b3fba95fa0a36b91232ed001b85740b0

  • SHA1

    3694d1e3896f8feed1e2c5b9e0d6604a8360301d

  • SHA256

    2a5b5dd73935856b654f9dc258ee03a8fe49bb00e031853531d17d8eea611739

  • SHA512

    a2d2d64830e0c28f9055ed72e38b89faaff31d963a22ef649991d7dc9f8a5ce0a0084519a9b10b12c6669a6946bd4917b316c9e7bfe1e42e247c7470ecd21c12

  • SSDEEP

    6144:sfdDdAMubtyw3+GIIIIIIIhIIIIIIIIIIIIIIIU:gdDdAMq4

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/WsRsgn8M

Targets

    • Target

      2a5b5dd73935856b654f9dc258ee03a8fe49bb00e031853531d17d8eea611739_NeikiAnalytics.exe

    • Size

      348KB

    • MD5

      b3fba95fa0a36b91232ed001b85740b0

    • SHA1

      3694d1e3896f8feed1e2c5b9e0d6604a8360301d

    • SHA256

      2a5b5dd73935856b654f9dc258ee03a8fe49bb00e031853531d17d8eea611739

    • SHA512

      a2d2d64830e0c28f9055ed72e38b89faaff31d963a22ef649991d7dc9f8a5ce0a0084519a9b10b12c6669a6946bd4917b316c9e7bfe1e42e247c7470ecd21c12

    • SSDEEP

      6144:sfdDdAMubtyw3+GIIIIIIIhIIIIIIIIIIIIIIIU:gdDdAMq4

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks