General
-
Target
thegreatestexploitSCRIPT.exe
-
Size
1.1MB
-
Sample
240725-qeba5szfrq
-
MD5
6355193424d5f27e804335671d67b4d2
-
SHA1
46fb86d88ab38698367394de0cccfd3ba55d419e
-
SHA256
0c610042b3f514a3fbf737244f8a38e7fe5fc5d795471bb73daadd3a0181f5d2
-
SHA512
ff0e72dbbc870419f875522b12bfd7bd99d56228d04e517a01e20b0c139f737dd7dfff99145ab6b2c24a51cfef8a4a3b091c058501d746a348f3bcebd607d075
-
SSDEEP
24576:qXltYB64AmZ4r448WV3RQW6UpPNbwlebQD4PZxIb1p68eclgSDOk:ESMsUPFRplBk4BxYysgAO
Malware Config
Extracted
xworm
published-philadelphia.gl.at.ply.gg:8848
localhost:8848
127.0.0.1:8848
-
Install_directory
%AppData%
-
install_file
xdwdNotepad++.exe
Targets
-
-
Target
thegreatestexploitSCRIPT.exe
-
Size
1.1MB
-
MD5
6355193424d5f27e804335671d67b4d2
-
SHA1
46fb86d88ab38698367394de0cccfd3ba55d419e
-
SHA256
0c610042b3f514a3fbf737244f8a38e7fe5fc5d795471bb73daadd3a0181f5d2
-
SHA512
ff0e72dbbc870419f875522b12bfd7bd99d56228d04e517a01e20b0c139f737dd7dfff99145ab6b2c24a51cfef8a4a3b091c058501d746a348f3bcebd607d075
-
SSDEEP
24576:qXltYB64AmZ4r448WV3RQW6UpPNbwlebQD4PZxIb1p68eclgSDOk:ESMsUPFRplBk4BxYysgAO
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1