xworm

Sharing

Copy URL

Twitter E-mail

General

Target

Project-LSD-Gorilla-Tag-main.zip
Size

1019KB
Sample

240825-vw5zasxbpq
MD5

d585dbe2c64eac8b5d4b97a961b8cc80
SHA1

e901d96b9c5f45f4b656309d47344f62c9077b79
SHA256

29fed046e6cb8a389667d00e1762e2dd76cdc2447fb8eeeb1384f16a3840864c
SHA512

59c6ea9ee55eb4de8fcca8e69f1f7a8eddc76a646cd0853bd219e3a1492c2c2b29939bddf6d5ac825ca7241c458d11031cc4bc5cb323f54d232a99d21101d74c
SSDEEP

24576:thbneG+umDBMroPH8LCyn5IYWaoc7CcqNgoEXy9epuE6VdW/qd:jepumAxC+6YWaH7zoEXWdW/qd

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

7.tcp.ngrok.io:22206

Mutex

gZUzvp6k0Vw7befo

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6356371662:AAF4_y4uR4P5salxGzkxmxDwHJPbGvs4F18

aes.plain

Targets

- Target
  
  Project-LSD-Gorilla-Tag-main.zip
- Size
  
  1019KB
- MD5
  
  d585dbe2c64eac8b5d4b97a961b8cc80
- SHA1
  
  e901d96b9c5f45f4b656309d47344f62c9077b79
- SHA256
  
  29fed046e6cb8a389667d00e1762e2dd76cdc2447fb8eeeb1384f16a3840864c
- SHA512
  
  59c6ea9ee55eb4de8fcca8e69f1f7a8eddc76a646cd0853bd219e3a1492c2c2b29939bddf6d5ac825ca7241c458d11031cc4bc5cb323f54d232a99d21101d74c
- SSDEEP
  
  24576:thbneG+umDBMroPH8LCyn5IYWaoc7CcqNgoEXy9epuE6VdW/qd:jepumAxC+6YWaH7zoEXWdW/qd
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  Project-LSD-Gorilla-Tag-main/LICENSE
- Size
  
  11KB
- MD5
  
  86d3f3a95c324c9479bd8986968f4327
- SHA1
  
  7df059597099bb7dcf25d2a9aedfaf4465f72d8d
- SHA256
  
  c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4
- SHA512
  
  dc6b68d13b8cf959644b935f1192b02c71aa7a5cf653bd43b4480fa89eec8d4d3f16a2278ec8c3b40ab1fdb233b3173a78fd83590d6f739e0c9e8ff56c282557
- SSDEEP
  
  192:fU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:M9vlKM1zJlFvmNz5VrlkTS07Ht
Score

1^/10
behavioral3 behavioral4
- Target
  
  Project-LSD-Gorilla-Tag-main/LSD.zip
- Size
  
  1015KB
- MD5
  
  35dfb059bb535f84973cc977600a4288
- SHA1
  
  d91067d646c0bbf17f23acf62b666d850306ef79
- SHA256
  
  621104378d82d5c57b12bc30ac70c179064949f1b114288b559d412b70a4c653
- SHA512
  
  cac96f7d0fdbaa9587a1d18f26cc761541ade1ccc61c225d33ee642602a89895a84a316bfc5efa17675da7aa765c673dfd8c30942cc83165fb026f5c8f828d33
- SSDEEP
  
  24576:IhbneG+umDBMroPH8LCyn5IYWaoc7CcqNgoEXy9epuE6VdW/qg:UepumAxC+6YWaH7zoEXWdW/qg
Score

1^/10
behavioral5 behavioral6
- Target
  
  LSD.bat
- Size
  
  1.3MB
- MD5
  
  a9550f1c944a4bce9df986467e8c8065
- SHA1
  
  da6c3d1e0b74a372f36b757917f0e9ddbd9ef4c3
- SHA256
  
  b7e0820ac8d4ca27a84814f33838a9892aaaec76f8837e791d6bad95e6259529
- SHA512
  
  fa76880904d49ac990a6b1172cf4aaa71c6119c17ed8c7bf31a9922433499ba3630d554273b49467ad59678d5d348deb8d7ce55b1120b4972941609566a732ca
- SSDEEP
  
  24576:IGaUv+Fjs045DPskYT2fBgr5ewKfgqVjS59G26wl9OM9g+l6xjSHWwu5:L9+yPf+VeYG2tI1QMW2z
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral7 behavioral8
- Target
  
  Project-LSD-Gorilla-Tag-main/README.md
- Size
  
  96B
- MD5
  
  8f87ff22969f178a7e4f5a446506ba43
- SHA1
  
  cb7cf905edc0f9433c3358ef3315d74adf8d8dde
- SHA256
  
  25ed546714b7110d8c7fbd2c792714665f03f343ffc6e05d1f378fcb4afddc03
- SHA512
  
  a6ee624a2be1841c8adc74c1a04b0c6031b9b7fd9d00ac83f4d53d5f31414926948784e2ce8151adc4d43d861f27cab9311954bedd5443383d5bb861c346ddf6
Score

3^/10

discovery
behavioral10 behavioral9