General
-
Target
SwooferV2.exe
-
Size
105KB
-
Sample
240723-whbc7svcjb
-
MD5
60c8b6c6039d3f8c9badfcab3f769348
-
SHA1
70976c0efa889dbdb757def12ed785f21f744c1d
-
SHA256
61d4fcb0bc4875d3c776f26e90f917bc60b337b865434144e60aeb49b607489f
-
SHA512
4cdc7564a3df5113b1f1b0e5c1c4ebb3678cacc67fd6850459094b5b514e81e7493fa3ffce3a279c1e342f72e7c74672b9024bf70d8fba35955d8cbb352cf126
-
SSDEEP
3072:pE5a+vjEoDr0YPE0PFD6P8OTbx3OYtk19SCT:pEmC0YPE0PQEOp35KY0
Malware Config
Extracted
xworm
127.0.0.1:29827
screen-avenue.gl.at.ply.gg:29827
-
Install_directory
%AppData%
-
install_file
svhost.exe
Targets
-
-
Target
SwooferV2.exe
-
Size
105KB
-
MD5
60c8b6c6039d3f8c9badfcab3f769348
-
SHA1
70976c0efa889dbdb757def12ed785f21f744c1d
-
SHA256
61d4fcb0bc4875d3c776f26e90f917bc60b337b865434144e60aeb49b607489f
-
SHA512
4cdc7564a3df5113b1f1b0e5c1c4ebb3678cacc67fd6850459094b5b514e81e7493fa3ffce3a279c1e342f72e7c74672b9024bf70d8fba35955d8cbb352cf126
-
SSDEEP
3072:pE5a+vjEoDr0YPE0PFD6P8OTbx3OYtk19SCT:pEmC0YPE0PQEOp35KY0
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1