General
-
Target
490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
-
Size
41KB
-
Sample
241030-kjt16a1lhl
-
MD5
5c48fe3471cf8db3c8c1cc1278566ec7
-
SHA1
ec5b1513df34018699823939858846dceed347a7
-
SHA256
490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
-
SHA512
ac91cd0780099d02ee3d57962439812d5a5c147177caabbddedf2da274720c953543de7b8ce33d83cde8a5b9043736c75eac17779940292e5fa3024ca048320d
-
SSDEEP
768:tCJu44/aeqvujYXJMs5afEHDmaFWPa926OwhZZameu:tgu44/imwKsEfapFv926OwRzeu
Malware Config
Extracted
xworm
5.0
copy-nigeria.gl.at.ply.gg:21026
hHrxBd1WbcJItcMM
-
Install_directory
%ProgramData%
-
install_file
Desktop Windows Manager.exe
-
telegram
https://api.telegram.org/bot7269786725:AAF0IPx1BWTdW_vbZqP8HGNrxWWFpF5CvYs/sendMessage?chat_id=5465523859
Targets
-
-
Target
490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
-
Size
41KB
-
MD5
5c48fe3471cf8db3c8c1cc1278566ec7
-
SHA1
ec5b1513df34018699823939858846dceed347a7
-
SHA256
490865c96b82805a395497c5d870743b4fb9b2b9f3de548193a9dceaa11395a3
-
SHA512
ac91cd0780099d02ee3d57962439812d5a5c147177caabbddedf2da274720c953543de7b8ce33d83cde8a5b9043736c75eac17779940292e5fa3024ca048320d
-
SSDEEP
768:tCJu44/aeqvujYXJMs5afEHDmaFWPa926OwhZZameu:tgu44/imwKsEfapFv926OwRzeu
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1