General

  • Target

    DisconnectLoader.exe

  • Size

    299KB

  • Sample

    241029-2v37ms1hjr

  • MD5

    a1402e4eb98f1315e539ae57cf6553e2

  • SHA1

    5c01edfd70d19c0cf8939930dd5577476f0b76d2

  • SHA256

    1f03986d28f33070e9d13e9337f8a1f84b1e4c3cb02db0613b7f3ca4c0aa02b5

  • SHA512

    dade0482a6b0b26cf713bfa7623f84199bd33e1d087af826d6f25af1b9204902d7ca2a38bad66a42ea074ef8f54785590236ac797b65d88ff2b96765f2ebb4b7

  • SSDEEP

    3072:fufodFK9MKOj7H2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:frK9IHuwH77Ppj0kA

Malware Config

Extracted

Family

xworm

Version

5.0

C2

dane1c-58098.portmap.host:58098

Mutex

scIy1UkjzpZZKLfI

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    USB.exe

aes.plain

Targets

    • Target

      DisconnectLoader.exe

    • Size

      299KB

    • MD5

      a1402e4eb98f1315e539ae57cf6553e2

    • SHA1

      5c01edfd70d19c0cf8939930dd5577476f0b76d2

    • SHA256

      1f03986d28f33070e9d13e9337f8a1f84b1e4c3cb02db0613b7f3ca4c0aa02b5

    • SHA512

      dade0482a6b0b26cf713bfa7623f84199bd33e1d087af826d6f25af1b9204902d7ca2a38bad66a42ea074ef8f54785590236ac797b65d88ff2b96765f2ebb4b7

    • SSDEEP

      3072:fufodFK9MKOj7H2QAsSdADRq6ty71wtYM77ldY7AXTp2kA3:frK9IHuwH77Ppj0kA

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

MITRE ATT&CK Enterprise v15

Tasks