General
-
Target
FiceMSpoofer.exe
-
Size
79KB
-
Sample
241109-3whg1atpdw
-
MD5
a0271b9ae627548e444ec28e80c49068
-
SHA1
3dd83dd24753dcfa19bfbd74878fd62b41ab0b50
-
SHA256
013b8d2a4d0c1e40fcaba90806beaf0e88504e74e9ff92ef6421b42d592bd3f0
-
SHA512
a4746d45f4daf8bb2ba33701e695271f05e6ec5104a2b80d7f27eeb476f76b3ebd4cd40c29e0c50ad0935eb18ffc99e2f4db0b63fe65456d25f5d413a18df6a3
-
SSDEEP
1536:+rae78zjORCDGwfdCSog01313Ks5gE2k:GahKyd2n31T5r2k
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/mDSLGN9q
-
telegram
https://api.telegram.org/bot7168105056:AAGVK3B7ZFupxq4PpmnBpxAQOwJ5CUp76ow/sendMessage?chat_id=1992635040
Targets
-
-
Target
FiceMSpoofer.exe
-
Size
79KB
-
MD5
a0271b9ae627548e444ec28e80c49068
-
SHA1
3dd83dd24753dcfa19bfbd74878fd62b41ab0b50
-
SHA256
013b8d2a4d0c1e40fcaba90806beaf0e88504e74e9ff92ef6421b42d592bd3f0
-
SHA512
a4746d45f4daf8bb2ba33701e695271f05e6ec5104a2b80d7f27eeb476f76b3ebd4cd40c29e0c50ad0935eb18ffc99e2f4db0b63fe65456d25f5d413a18df6a3
-
SSDEEP
1536:+rae78zjORCDGwfdCSog01313Ks5gE2k:GahKyd2n31T5r2k
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-