General
-
Target
FunCheker.exe
-
Size
58KB
-
Sample
240719-w5nl2sxgkd
-
MD5
e1037ff08530e97f312f2c5cae895646
-
SHA1
0439ffa576cec17918ed1e83144fdecd5bb5292e
-
SHA256
1321a9ac30ec543ff79880144cf9358153122b0a7cb554ae5e1ef68d4dc010ed
-
SHA512
980298958868a71505fd7c81f773430b5687f8f76a06aa6b64dfe321e2ebefae04ec36c09bdde4f6a9fe8a6970688a693ea4ace3e320cc884b4a8ff00532671a
-
SSDEEP
768:V1/DUdf/Y8SI23anp2mWJre5vwR9TR6/b4PEmkCPBXg9p9kiViehWCmgzSI:V1/Eb5nwLapCTRkb4PGCPm9TtVQyeI
Malware Config
Extracted
xworm
grand-ad.gl.at.ply.gg:21277
-
Install_directory
%AppData%
-
install_file
FunCheker.exe
Targets
-
-
Target
FunCheker.exe
-
Size
58KB
-
MD5
e1037ff08530e97f312f2c5cae895646
-
SHA1
0439ffa576cec17918ed1e83144fdecd5bb5292e
-
SHA256
1321a9ac30ec543ff79880144cf9358153122b0a7cb554ae5e1ef68d4dc010ed
-
SHA512
980298958868a71505fd7c81f773430b5687f8f76a06aa6b64dfe321e2ebefae04ec36c09bdde4f6a9fe8a6970688a693ea4ace3e320cc884b4a8ff00532671a
-
SSDEEP
768:V1/DUdf/Y8SI23anp2mWJre5vwR9TR6/b4PEmkCPBXg9p9kiViehWCmgzSI:V1/Eb5nwLapCTRkb4PGCPm9TtVQyeI
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1