General

  • Target

    XWorm V5.6.rar

  • Size

    22.7MB

  • Sample

    241111-zrmpdazjfp

  • MD5

    bf2914828889b9f53f5dca3d9bda6f17

  • SHA1

    7155e7938a6474d637a83c692eb60d34a8c6e94b

  • SHA256

    0a10a2d40d0d1af7fe2d6c90e6ec033bebac388c247845459c59a6cb3e1f1350

  • SHA512

    304b612339c0698c4ced92672eb559be4bcdfcdf94c16621430d8822939b970ee9491a7686aa36c3e14527bf0137728c57462e5bbc2107aab32bdce2f929727f

  • SSDEEP

    393216:ygLv40tO3Q7adTFRWjVzPZQOo4IdenR/XdGmq+j0f2NXPM3Py/ZmZUeoatgiZMdC:yuw0tO3d9zWjVTZQOoSnR/sygONXPaPd

Malware Config

Targets

    • Target

      XWorm V5.6.rar

    • Size

      22.7MB

    • MD5

      bf2914828889b9f53f5dca3d9bda6f17

    • SHA1

      7155e7938a6474d637a83c692eb60d34a8c6e94b

    • SHA256

      0a10a2d40d0d1af7fe2d6c90e6ec033bebac388c247845459c59a6cb3e1f1350

    • SHA512

      304b612339c0698c4ced92672eb559be4bcdfcdf94c16621430d8822939b970ee9491a7686aa36c3e14527bf0137728c57462e5bbc2107aab32bdce2f929727f

    • SSDEEP

      393216:ygLv40tO3Q7adTFRWjVzPZQOo4IdenR/XdGmq+j0f2NXPM3Py/ZmZUeoatgiZMdC:yuw0tO3d9zWjVTZQOoSnR/sygONXPaPd

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks