General
-
Target
DisconnectLoader.exe
-
Size
299KB
-
Sample
241029-2v37ms1hjr
-
MD5
a1402e4eb98f1315e539ae57cf6553e2
-
SHA1
5c01edfd70d19c0cf8939930dd5577476f0b76d2
-
SHA256
1f03986d28f33070e9d13e9337f8a1f84b1e4c3cb02db0613b7f3ca4c0aa02b5
-
SHA512
dade0482a6b0b26cf713bfa7623f84199bd33e1d087af826d6f25af1b9204902d7ca2a38bad66a42ea074ef8f54785590236ac797b65d88ff2b96765f2ebb4b7
-
SSDEEP
3072:fufodFK9MKOj7H2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:frK9IHuwH77Ppj0kA
Malware Config
Extracted
xworm
5.0
dane1c-58098.portmap.host:58098
scIy1UkjzpZZKLfI
-
Install_directory
%LocalAppData%
-
install_file
USB.exe
Targets
-
-
Target
DisconnectLoader.exe
-
Size
299KB
-
MD5
a1402e4eb98f1315e539ae57cf6553e2
-
SHA1
5c01edfd70d19c0cf8939930dd5577476f0b76d2
-
SHA256
1f03986d28f33070e9d13e9337f8a1f84b1e4c3cb02db0613b7f3ca4c0aa02b5
-
SHA512
dade0482a6b0b26cf713bfa7623f84199bd33e1d087af826d6f25af1b9204902d7ca2a38bad66a42ea074ef8f54785590236ac797b65d88ff2b96765f2ebb4b7
-
SSDEEP
3072:fufodFK9MKOj7H2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:frK9IHuwH77Ppj0kA
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-