General

  • Target

    Xworm+V7.0.exe

  • Size

    15.5MB

  • Sample

    240818-a2173syfmk

  • MD5

    d8e168a28df4c3b07f3aa33251eb9973

  • SHA1

    a201db9b5593a1290e4feaa72ee7f0e246cbd5eb

  • SHA256

    e325de946ae78c2063a281903a819a84915411b2b0a1beb5fbb8dd6dbb60acc0

  • SHA512

    0c8a08d0afcf94c3361287dfb59a0b089d5908136ed657ceb9d3c94fc6d7149879ae0dad987e9e302630ffe3651769b27a31676fa1b44ca298ede07fbc8a28f9

  • SSDEEP

    393216:/z/DJJoIRv/PiktGiZis6mjSkPQ+GvRRJf:/Ho2iqRsskkPQ/5RJf

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

OnCH8EVI1tYADuXo

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    msedge.exe

  • pastebin_url

    https://pastebin.com/raw/RPPi3ByL

  • telegram

    https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

aes.plain
aes.plain
aes.plain

Targets

    • Target

      Xworm+V7.0.exe

    • Size

      15.5MB

    • MD5

      d8e168a28df4c3b07f3aa33251eb9973

    • SHA1

      a201db9b5593a1290e4feaa72ee7f0e246cbd5eb

    • SHA256

      e325de946ae78c2063a281903a819a84915411b2b0a1beb5fbb8dd6dbb60acc0

    • SHA512

      0c8a08d0afcf94c3361287dfb59a0b089d5908136ed657ceb9d3c94fc6d7149879ae0dad987e9e302630ffe3651769b27a31676fa1b44ca298ede07fbc8a28f9

    • SSDEEP

      393216:/z/DJJoIRv/PiktGiZis6mjSkPQ+GvRRJf:/Ho2iqRsskkPQ/5RJf

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Download via BitsAdmin

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks