General

  • Target

    exno-multitool.bat

  • Size

    312KB

  • Sample

    240808-1mjmlatgqc

  • MD5

    35f2566540e2b6d4d6936a1f69c9b61c

  • SHA1

    c54fdbe3b77c3cb24daf7e0157236c088f06b9e0

  • SHA256

    6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92

  • SHA512

    4096802c29db97ad4cec416413c35a2060c3da13c9512c1290beff6ab518b6fd18867a57771f4e7a3c96b077bf96408ddf2732cc602fa8d6166a374d2f7cbae9

  • SSDEEP

    6144:YuQfKrYP5G4V8rw0vUPaPJKHNVdhsjIq7pZMB+hhQi/rcf06yfnkX:Yu1rkG4V8rw6U2JKtVPsjIwMBqjDcVyY

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ipapi.co/json/

Extracted

Family

xworm

C2

browse-brokers.gl.at.ply.gg:53049

Attributes
  • Install_directory

    %AppData%

  • install_file

    server.exe

Targets

    • Target

      exno-multitool.bat

    • Size

      312KB

    • MD5

      35f2566540e2b6d4d6936a1f69c9b61c

    • SHA1

      c54fdbe3b77c3cb24daf7e0157236c088f06b9e0

    • SHA256

      6da093e67df15817141cb314b208da8c750e14bcda70293aac9aea354f708a92

    • SHA512

      4096802c29db97ad4cec416413c35a2060c3da13c9512c1290beff6ab518b6fd18867a57771f4e7a3c96b077bf96408ddf2732cc602fa8d6166a374d2f7cbae9

    • SSDEEP

      6144:YuQfKrYP5G4V8rw0vUPaPJKHNVdhsjIq7pZMB+hhQi/rcf06yfnkX:Yu1rkG4V8rw6U2JKtVPsjIwMBqjDcVyY

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks