General
-
Target
BootStrapperV2.exe
-
Size
70KB
-
Sample
241103-gf53gawhjd
-
MD5
869eb8101675b446f5d0494013b676ac
-
SHA1
bcf9b9deacbb90439ad920c565191e6d31dfa565
-
SHA256
e26cdf6b5b88b2bc91127406361c7ffc32090b454f7081dcaf11b15ed7da002c
-
SHA512
b551dcb11423e8b5ed54ac95052548d62b3d34c74b424c8a1320cb940425d0bca92bba501c1c82a3becf452df1a624b60a18a312537e0844e7ede7898acf5ad9
-
SSDEEP
1536:P3XvLmMO78lkuciRlikj9Vkt+3ybDjkYb91XRlpfsW26J5SJX94Xx:P3DmM08vTikDkt+CIYb9Z2qSJX94B
Malware Config
Extracted
xworm
where-reverse.gl.at.ply.gg:18649
-
Install_directory
%ProgramData%
-
install_file
Helper.exe
Targets
-
-
Target
BootStrapperV2.exe
-
Size
70KB
-
MD5
869eb8101675b446f5d0494013b676ac
-
SHA1
bcf9b9deacbb90439ad920c565191e6d31dfa565
-
SHA256
e26cdf6b5b88b2bc91127406361c7ffc32090b454f7081dcaf11b15ed7da002c
-
SHA512
b551dcb11423e8b5ed54ac95052548d62b3d34c74b424c8a1320cb940425d0bca92bba501c1c82a3becf452df1a624b60a18a312537e0844e7ede7898acf5ad9
-
SSDEEP
1536:P3XvLmMO78lkuciRlikj9Vkt+3ybDjkYb91XRlpfsW26J5SJX94Xx:P3DmM08vTikDkt+CIYb9Z2qSJX94B
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-