General
-
Target
vusepod.exe
-
Size
322KB
-
Sample
240707-1mk6es1djb
-
MD5
252efc7431d4a6ac09eec40c07708cd4
-
SHA1
122102a5af1736b177f26655864a733865a7b92d
-
SHA256
fd1a9a1dcd8633c101f71130350126b522d0f46efb9e3a1c119dc2db72cf68fd
-
SHA512
8f8cc89d7390fc46162a01fed5b4c17c95a91ef2a7cbe366baad73136366202285adb0067f8440fbb613005c2111a110710c63eaec8e348e76737cdaf1bdcdf4
-
SSDEEP
6144:AnSBcyyqUz/2jP6ZxShorzkvF27F8L9u3Dz+VvERRoO7E/5vqksUByLhXDaF:AnSBcyyz2bBi3f6L4+VvERv7gvqGytza
Malware Config
Extracted
xworm
case-shield.gl.at.ply.gg:26501
-
install_file
game.exe
Targets
-
-
Target
vusepod.exe
-
Size
322KB
-
MD5
252efc7431d4a6ac09eec40c07708cd4
-
SHA1
122102a5af1736b177f26655864a733865a7b92d
-
SHA256
fd1a9a1dcd8633c101f71130350126b522d0f46efb9e3a1c119dc2db72cf68fd
-
SHA512
8f8cc89d7390fc46162a01fed5b4c17c95a91ef2a7cbe366baad73136366202285adb0067f8440fbb613005c2111a110710c63eaec8e348e76737cdaf1bdcdf4
-
SSDEEP
6144:AnSBcyyqUz/2jP6ZxShorzkvF27F8L9u3Dz+VvERRoO7E/5vqksUByLhXDaF:AnSBcyyz2bBi3f6L4+VvERv7gvqGytza
Score10/10-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-