General
-
Target
Code Extractor C++ and c# Craked by Lucifer.exe
-
Size
340KB
-
Sample
241102-v6pp3azqfw
-
MD5
df2a298979ca5221c86d537e707c650b
-
SHA1
a7d76d26fb7a5c16b76231bc9f5c2cfb0fc1161a
-
SHA256
a98f459547ffc3c515a83fd42be76c4b0eb89c07b2e268d110bbce4cb096182d
-
SHA512
310f5508a7e87773d8f18689d0d166e3c5d6139c976e36c4f7242bdca1c80ab55520819eb7f3eb9b564321b3bad571120ef3f068b39d2599f8bce65d2a7064e6
-
SSDEEP
6144:bt/u6mhPJGk59wRsyU9I9Vx1rcPm3m72XeN1mk5gOvZf1VLVRnIINQvq:bJyhRVf9I9Rcu3mqXomkuufbxRnTcq
Malware Config
Extracted
xworm
147.185.221.21:27938
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6575053517:AAHfQSqLTvzOajvn1QldlaGUVj-u9hK2upc/sendMessage?chat_id=7492036336
Targets
-
-
Target
Code Extractor C++ and c# Craked by Lucifer.exe
-
Size
340KB
-
MD5
df2a298979ca5221c86d537e707c650b
-
SHA1
a7d76d26fb7a5c16b76231bc9f5c2cfb0fc1161a
-
SHA256
a98f459547ffc3c515a83fd42be76c4b0eb89c07b2e268d110bbce4cb096182d
-
SHA512
310f5508a7e87773d8f18689d0d166e3c5d6139c976e36c4f7242bdca1c80ab55520819eb7f3eb9b564321b3bad571120ef3f068b39d2599f8bce65d2a7064e6
-
SSDEEP
6144:bt/u6mhPJGk59wRsyU9I9Vx1rcPm3m72XeN1mk5gOvZf1VLVRnIINQvq:bJyhRVf9I9Rcu3mqXomkuufbxRnTcq
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-