General
-
Target
925dcca433ad653cb99eea5318246960851c4dfd69d67cbb978578494af79dcc.ps1
-
Size
331KB
-
Sample
241102-vmmflazerd
-
MD5
ffc19d662d5831753bd6a1e1dce46f6b
-
SHA1
7ce271ccdeae2f30c70dba1a875a215ee51e2b7a
-
SHA256
925dcca433ad653cb99eea5318246960851c4dfd69d67cbb978578494af79dcc
-
SHA512
1c6615b92d998a4b28a2f1afc1d54dd94e94ea6c3561d2bb7dcfc8ceeeb726b2b3580fb2fc228c62f8f042db16a28f849b0d97412a2065510c2b615802a226f8
-
SSDEEP
1536:k/0mI+fIMtxO/gYOUxUErIsOKlKE7HTZDYjm2IHnfRLlUJMjcI559G7jyD8WUIOQ:kKxwaD5WphZKxwaD5Wph/Q
Malware Config
Extracted
xworm
127.0.0.1:7000
91.92.252.220:7000
-
Install_directory
%Temp%
-
install_file
mstc.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Targets
-
-
Target
925dcca433ad653cb99eea5318246960851c4dfd69d67cbb978578494af79dcc.ps1
-
Size
331KB
-
MD5
ffc19d662d5831753bd6a1e1dce46f6b
-
SHA1
7ce271ccdeae2f30c70dba1a875a215ee51e2b7a
-
SHA256
925dcca433ad653cb99eea5318246960851c4dfd69d67cbb978578494af79dcc
-
SHA512
1c6615b92d998a4b28a2f1afc1d54dd94e94ea6c3561d2bb7dcfc8ceeeb726b2b3580fb2fc228c62f8f042db16a28f849b0d97412a2065510c2b615802a226f8
-
SSDEEP
1536:k/0mI+fIMtxO/gYOUxUErIsOKlKE7HTZDYjm2IHnfRLlUJMjcI559G7jyD8WUIOQ:kKxwaD5WphZKxwaD5Wph/Q
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-