General
-
Target
hix.exe
-
Size
64KB
-
Sample
240908-fj2nsazdjb
-
MD5
123d31faaee2f2066caf43e1e7bfbb08
-
SHA1
d0d157dd90a4a1debd9ce16b5dc1875ae8979c6e
-
SHA256
bae421420cd119f2f9fc79e71cad6e61848ace3f59525206086ba2353d979451
-
SHA512
9834244deed2a70cb4800f75803f8ce5fd3faa741482eb851c93e566557ba00a5d21fe920483f675b452e9daaa970aeef7c500e4c6c1c3c9ee56ac70973105d1
-
SSDEEP
768:mwXIkOo/eRIQ3Y5vKbBcK6ONgCTGWi1IXtlXbuNvQYi6+FyOZhUeG7caHCP:/3s6vuT6IGj+t1buFfi6+FyOZJaiP
Malware Config
Extracted
xworm
distribution-between.gl.at.ply.gg:9999
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
hix.exe
-
Size
64KB
-
MD5
123d31faaee2f2066caf43e1e7bfbb08
-
SHA1
d0d157dd90a4a1debd9ce16b5dc1875ae8979c6e
-
SHA256
bae421420cd119f2f9fc79e71cad6e61848ace3f59525206086ba2353d979451
-
SHA512
9834244deed2a70cb4800f75803f8ce5fd3faa741482eb851c93e566557ba00a5d21fe920483f675b452e9daaa970aeef7c500e4c6c1c3c9ee56ac70973105d1
-
SSDEEP
768:mwXIkOo/eRIQ3Y5vKbBcK6ONgCTGWi1IXtlXbuNvQYi6+FyOZhUeG7caHCP:/3s6vuT6IGj+t1buFfi6+FyOZJaiP
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-