General

  • Target

    robloxcheatloader.bat

  • Size

    297KB

  • Sample

    241009-g7gtysybnj

  • MD5

    615114ba6cad5ad7fe0e28339fbc5e51

  • SHA1

    931ac91d80b1d1149aa2603d9583e9282d0f0743

  • SHA256

    45b782f056d13bff3c3b4ac821455ee50b7fe7db2a273ade8a6bfa4d14ac3656

  • SHA512

    305c3df8806501a72d0db6d5485f0b85cbffb994cc1fb6c57f2587af569d6a364efbf7ae3cf9f59f8dc923ca24a83a3746f7e624c6205a9b623b8db7267095fb

  • SSDEEP

    6144:3HSmrJmgKx+Yv/dDTRFK74kVfSmVWYD4lzegex3aZ/SkR:350P6zqmB4lygeEYs

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      robloxcheatloader.bat

    • Size

      297KB

    • MD5

      615114ba6cad5ad7fe0e28339fbc5e51

    • SHA1

      931ac91d80b1d1149aa2603d9583e9282d0f0743

    • SHA256

      45b782f056d13bff3c3b4ac821455ee50b7fe7db2a273ade8a6bfa4d14ac3656

    • SHA512

      305c3df8806501a72d0db6d5485f0b85cbffb994cc1fb6c57f2587af569d6a364efbf7ae3cf9f59f8dc923ca24a83a3746f7e624c6205a9b623b8db7267095fb

    • SSDEEP

      6144:3HSmrJmgKx+Yv/dDTRFK74kVfSmVWYD4lzegex3aZ/SkR:350P6zqmB4lygeEYs

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks