General
-
Target
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
-
Size
653KB
-
Sample
241108-dw8azsvajd
-
MD5
2f70673f42fa875f6086be3f08d0228d
-
SHA1
9d669bedf14a71f846ffa4fd2026f8d956daa57e
-
SHA256
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64
-
SHA512
3dfe6da9f87e82f59addc56aaad56f25305aa2f1ea4a579b9829dd4fffa4f89a93d74f5311e4194bf4c42b035394cf2e3fd5480b0237d24076c33c60603b9dc6
-
SSDEEP
12288:8qFKqcoUvEmbGqbxoVOxEKEXQ8MUzNkFa21YQ1G8aJqjZ0uqISt:8q0qconmNKYq5zZNkk2qQ8jJq10uqIg
Malware Config
Extracted
xworm
5.0
154.216.20.132:2233
NFxnDoJ61PAf6tB3
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64.exe
-
Size
653KB
-
MD5
2f70673f42fa875f6086be3f08d0228d
-
SHA1
9d669bedf14a71f846ffa4fd2026f8d956daa57e
-
SHA256
97ef8e5f7cce1ba7216aae7b44778fee1140371a68681b84b886bfbffb1e9e64
-
SHA512
3dfe6da9f87e82f59addc56aaad56f25305aa2f1ea4a579b9829dd4fffa4f89a93d74f5311e4194bf4c42b035394cf2e3fd5480b0237d24076c33c60603b9dc6
-
SSDEEP
12288:8qFKqcoUvEmbGqbxoVOxEKEXQ8MUzNkFa21YQ1G8aJqjZ0uqISt:8q0qconmNKYq5zZNkk2qQ8jJq10uqIg
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-