General

  • Target

    TxDoomer_Loader_protected_original.exe

  • Size

    1.2MB

  • Sample

    240622-mzemhsveja

  • MD5

    fd3e0fddb2a2571d7c6010de90e552f9

  • SHA1

    55cd4a8e012740dfa430dddf3245ffad383b64a2

  • SHA256

    ab696814ce3c10f86e8ad86a8c1cbb45f9ab0ceddc336ca15bce36b2f1a87a13

  • SHA512

    654663056ba803474dc3cee0fa07da9fc6710debb49e343b06cc558f3f60879a1c54f4f2df44069247b9565f505a4413f11c1fa72de546f0cbfe33eb5405be3d

  • SSDEEP

    24576:jqeWJnK5cnuFa2s1kX/kbtIqgFHU0HEPJbO8dBUGKsmuzQ28HW:jjWMFXs1kX/tqUEPJbOEVd

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/Jt9Xgc6v

Targets

    • Target

      TxDoomer_Loader_protected_original.exe

    • Size

      1.2MB

    • MD5

      fd3e0fddb2a2571d7c6010de90e552f9

    • SHA1

      55cd4a8e012740dfa430dddf3245ffad383b64a2

    • SHA256

      ab696814ce3c10f86e8ad86a8c1cbb45f9ab0ceddc336ca15bce36b2f1a87a13

    • SHA512

      654663056ba803474dc3cee0fa07da9fc6710debb49e343b06cc558f3f60879a1c54f4f2df44069247b9565f505a4413f11c1fa72de546f0cbfe33eb5405be3d

    • SSDEEP

      24576:jqeWJnK5cnuFa2s1kX/kbtIqgFHU0HEPJbO8dBUGKsmuzQ28HW:jjWMFXs1kX/tqUEPJbOEVd

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks