General
-
Target
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N
-
Size
66KB
-
Sample
241108-vppnqswdpl
-
MD5
2b494d570e8555cd6dbca8dadae59840
-
SHA1
c59544f6f3a027887f0e4b0cccce87515ba3950f
-
SHA256
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
-
SHA512
fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
-
SSDEEP
1536:iKQYa5VddJ8rYtvAq9dAfkb15LU3v2D4oD0l8laOEeVHN:iKQYa5DdyEAq9d6kb15LU3A4ovaOEe5N
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/H3wFXmEi
Targets
-
-
Target
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12N
-
Size
66KB
-
MD5
2b494d570e8555cd6dbca8dadae59840
-
SHA1
c59544f6f3a027887f0e4b0cccce87515ba3950f
-
SHA256
7212825fd674cedb58ad3e6f72b312158c491386cc36b745cc04ad2617427e12
-
SHA512
fe8ca241a512b55758e47e8962bfa1d3d1017559e199d21cbf07afc830d3460a9b6d0f868bfa7ea59979d254c6a29e4d18cf9ae25a6e5b7726a7eb514eb6ea5a
-
SSDEEP
1536:iKQYa5VddJ8rYtvAq9dAfkb15LU3v2D4oD0l8laOEeVHN:iKQYa5DdyEAq9d6kb15LU3A4ovaOEe5N
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1