General
-
Target
V3nom Config.exe
-
Size
87KB
-
Sample
240625-ft5s7avgpk
-
MD5
1a7ceb9cbe488824a40f0cc5a9ca0669
-
SHA1
3c77844b0080d40026dfa529819358e14cc93fff
-
SHA256
a77db9182db4c6d3b489d9316c199ac05de892b0fbeb30bc6f3eaf617e1f8e5c
-
SHA512
dbd21914cae1626f72836f4c7eb4e47810949b8d7e48d623ec88d9e1a0fb82008165ced725114b6269c8679f6b26228106ba07ddc961acfbfd89c03b9fa2f17b
-
SSDEEP
1536:Rm0UDzTeGudoarBN7eb/sVhmbi6+M48/OtEPwY5Zhdv5:8zDuGudoIBwb/JbR4cOMwY5Z/5
Malware Config
Extracted
xworm
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/f0vkYm0a
Targets
-
-
Target
V3nom Config.exe
-
Size
87KB
-
MD5
1a7ceb9cbe488824a40f0cc5a9ca0669
-
SHA1
3c77844b0080d40026dfa529819358e14cc93fff
-
SHA256
a77db9182db4c6d3b489d9316c199ac05de892b0fbeb30bc6f3eaf617e1f8e5c
-
SHA512
dbd21914cae1626f72836f4c7eb4e47810949b8d7e48d623ec88d9e1a0fb82008165ced725114b6269c8679f6b26228106ba07ddc961acfbfd89c03b9fa2f17b
-
SSDEEP
1536:Rm0UDzTeGudoarBN7eb/sVhmbi6+M48/OtEPwY5Zhdv5:8zDuGudoIBwb/JbR4cOMwY5Z/5
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1