General

  • Target

    main.v1.exe

  • Size

    1.2MB

  • Sample

    240621-gsa3vstdpj

  • MD5

    dc34a8f3b65df10c070951e4badc0dc4

  • SHA1

    cf3f53df78152e416ae517dd09a2d8e874c3cb05

  • SHA256

    6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f

  • SHA512

    a52afa789dc5ac42c50a2364c2d9e8138aaee833ac4e266f99473a01412e46fcbfa3351adf538ec023df13234203b90c0b8d3e429155b4515da1210657f9e008

  • SSDEEP

    24576:vGjmmvk+tKHCeYhDM/gRZGJ1FkRlqY3Jna5ptgJBXc1mz7MljDBdUaUk/0nF:+6mvoieODMo/GJQoYpantgbv81ck0n

Malware Config

Extracted

Family

xworm

C2

gift-scientists.gl.at.ply.gg:20443

Attributes
  • Install_directory

    %AppData%

  • install_file

    scvhost.exe

Targets

    • Target

      main.v1.exe

    • Size

      1.2MB

    • MD5

      dc34a8f3b65df10c070951e4badc0dc4

    • SHA1

      cf3f53df78152e416ae517dd09a2d8e874c3cb05

    • SHA256

      6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f

    • SHA512

      a52afa789dc5ac42c50a2364c2d9e8138aaee833ac4e266f99473a01412e46fcbfa3351adf538ec023df13234203b90c0b8d3e429155b4515da1210657f9e008

    • SSDEEP

      24576:vGjmmvk+tKHCeYhDM/gRZGJ1FkRlqY3Jna5ptgJBXc1mz7MljDBdUaUk/0nF:+6mvoieODMo/GJQoYpantgbv81ck0n

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks