General
-
Target
driver-booster-windows-12.0.0.308-11236.exe
-
Size
25.3MB
-
Sample
241010-vj22wasajr
-
MD5
3bd43fae300070dbf4387ad227fc4fc1
-
SHA1
d67db4bb37acfb52d7a1922d37b85ce6cc6d753a
-
SHA256
0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99
-
SHA512
da65632725340cc32b74a4e999c7a0d7ba7105eba9eab17e0c35ecaffd2205ab7d31d41d11300c5d940f63122020d9aa7a43877a20b22414d25d5d170a9743e6
-
SSDEEP
393216:9FKV6EAgMhJ5f/3X9F3M9i2DsQ8isPBhHtWrreJwrVF+oNMcT3Xy7yoW:9cMvzXELDs5isPbHtOr7v+oNMsXT
Malware Config
Extracted
xworm
MadeInMood1-40937.portmap.host:40937
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot7375237961:AAFlPWXmEriRUUWDWeG1DeZifKaAFaWD10Q/sendMessage?chat_id=7534517325
Targets
-
-
Target
driver-booster-windows-12.0.0.308-11236.exe
-
Size
25.3MB
-
MD5
3bd43fae300070dbf4387ad227fc4fc1
-
SHA1
d67db4bb37acfb52d7a1922d37b85ce6cc6d753a
-
SHA256
0fc1658f9e5bcdc8f1d437fbbfe30a1e12a6535c3610b65521cce786246f5a99
-
SHA512
da65632725340cc32b74a4e999c7a0d7ba7105eba9eab17e0c35ecaffd2205ab7d31d41d11300c5d940f63122020d9aa7a43877a20b22414d25d5d170a9743e6
-
SSDEEP
393216:9FKV6EAgMhJ5f/3X9F3M9i2DsQ8isPBhHtWrreJwrVF+oNMcT3Xy7yoW:9cMvzXELDs5isPbHtOr7v+oNMsXT
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-