General
-
Target
test2.exe
-
Size
77KB
-
Sample
241109-lwjavsvngn
-
MD5
bf48a7928ec32e594ee49cfee2c91414
-
SHA1
73c8202dd8a175d68094a8113daafe1f8ed5b45e
-
SHA256
9711bbfc8a0ce69d749fc22b8d4e484de5c96c5d667c0f62910b930afa491587
-
SHA512
dc4aabc93fe82427acc3f231e1db1a2b2286cde288a33eb00ebbd4c816677d35ebfed015b8a9ae3731536f8e1d0a8b0611f404a7601bd901edf5efcb00ca00b4
-
SSDEEP
1536:jzxKxF1kLHgDhMfDcNIolG9TEN+b1L99dFlxzz6DlP6Om7OH6EwaDF:j1q6fwNo1EN+b999lFAnm7OarCF
Malware Config
Extracted
xworm
0.tcp.ap.ngrok.io:4411
-
Install_directory
%Public%
-
install_file
hh.exe
Targets
-
-
Target
test2.exe
-
Size
77KB
-
MD5
bf48a7928ec32e594ee49cfee2c91414
-
SHA1
73c8202dd8a175d68094a8113daafe1f8ed5b45e
-
SHA256
9711bbfc8a0ce69d749fc22b8d4e484de5c96c5d667c0f62910b930afa491587
-
SHA512
dc4aabc93fe82427acc3f231e1db1a2b2286cde288a33eb00ebbd4c816677d35ebfed015b8a9ae3731536f8e1d0a8b0611f404a7601bd901edf5efcb00ca00b4
-
SSDEEP
1536:jzxKxF1kLHgDhMfDcNIolG9TEN+b1L99dFlxzz6DlP6Om7OH6EwaDF:j1q6fwNo1EN+b999lFAnm7OarCF
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1