General
-
Target
EaglesBC (2).exe
-
Size
11.4MB
-
Sample
240727-qyt8cssakk
-
MD5
4b51836c5d5d08b3532856751d8d21e1
-
SHA1
7ed645a10198f69334d038616cabb2d627ced0a1
-
SHA256
2a12b9515d6865670ff51c0cfa19f016f84304b3087dcac8a13b4841c6f769ad
-
SHA512
8942661691f374fcb92b0603597e2fe874f7a4d2619d6dcead2b5ebb43b3e5ddf6aa08a420a6235dac0ea5291dfc44edd98dba88ecfe82a09b082527742c658d
-
SSDEEP
196608:rnDb8zwvKtQSy5+HXMpp1fVJsHTCwoDaNKEu0pitm74j+koTC56NEY4F4ilyiWA9:rn6wCt1y5+HXMp7f/sHT62u7oTCgN/iV
Malware Config
Extracted
xworm
bulletingmarrano-45523.portmap.host:45523
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
EaglesBC (2).exe
-
Size
11.4MB
-
MD5
4b51836c5d5d08b3532856751d8d21e1
-
SHA1
7ed645a10198f69334d038616cabb2d627ced0a1
-
SHA256
2a12b9515d6865670ff51c0cfa19f016f84304b3087dcac8a13b4841c6f769ad
-
SHA512
8942661691f374fcb92b0603597e2fe874f7a4d2619d6dcead2b5ebb43b3e5ddf6aa08a420a6235dac0ea5291dfc44edd98dba88ecfe82a09b082527742c658d
-
SSDEEP
196608:rnDb8zwvKtQSy5+HXMpp1fVJsHTCwoDaNKEu0pitm74j+koTC56NEY4F4ilyiWA9:rn6wCt1y5+HXMp7f/sHT62u7oTCgN/iV
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1