General
-
Target
STEPGOD SUPER X GODDOM.exe
-
Size
14.2MB
-
Sample
241109-jq5wka1bjf
-
MD5
47e231a98f9fb0a6bb866b31acd89e4c
-
SHA1
42cdd1319cf6d7e417392a0320eb4d019c8304ef
-
SHA256
17038ab0688f417a07fa28b15a2cde8feea62c06c9e1eb97a56caa39431c47e5
-
SHA512
8bd240fbb873179b0995314d2ea8a6b0d1b7ce7fc464b1f118d699879f776236ef21a6b0d36e874f0094a8d7b92ef57e3df355bb3bba6bb6818efaad7a19dbc5
-
SSDEEP
393216:gd0C4hOp/ywm5Kr1yt9Jw0CALmA3pBt4M+O5kh+aN1cUfmhs:Tktd7c3Jw0CFA3pBCY5khRIq
Malware Config
Extracted
xworm
5.0
client-toilet.gl.at.ply.gg:29921
NvsfH1XO1syyGREn
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
STEPGOD SUPER X GODDOM.exe
-
Size
14.2MB
-
MD5
47e231a98f9fb0a6bb866b31acd89e4c
-
SHA1
42cdd1319cf6d7e417392a0320eb4d019c8304ef
-
SHA256
17038ab0688f417a07fa28b15a2cde8feea62c06c9e1eb97a56caa39431c47e5
-
SHA512
8bd240fbb873179b0995314d2ea8a6b0d1b7ce7fc464b1f118d699879f776236ef21a6b0d36e874f0094a8d7b92ef57e3df355bb3bba6bb6818efaad7a19dbc5
-
SSDEEP
393216:gd0C4hOp/ywm5Kr1yt9Jw0CALmA3pBt4M+O5kh+aN1cUfmhs:Tktd7c3Jw0CFA3pBCY5khRIq
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-