General
-
Target
Xevo-bootstrapper.exe
-
Size
866KB
-
Sample
241114-d76arsthkb
-
MD5
ced772286eabb38ef955a3df63979754
-
SHA1
eea0fc2849d82b213fe603de8c5b452e7714b5b3
-
SHA256
709b859894e9d3a4cfe0c194738ca60a5747a0ace6b5dc8786c28825f257b123
-
SHA512
a3fb03ef9a642d4d024d7979a98cf3d34670988648e37c0ce93376dcec59aca3121e24d0e46d81bcab444ce7d9d6e4ba43004146bcc43246793696d7628d51bd
-
SSDEEP
24576:QAFbBbDZg8bjv4zk1iMuGaHknfPBAuGY+DsWZya:xPZ2vMuGasfPBeCWZ7
Malware Config
Extracted
xworm
Cactus-33152.portmap.host:33152
-
Install_directory
%AppData%
-
install_file
Teams.exe
Targets
-
-
Target
Xevo-bootstrapper.exe
-
Size
866KB
-
MD5
ced772286eabb38ef955a3df63979754
-
SHA1
eea0fc2849d82b213fe603de8c5b452e7714b5b3
-
SHA256
709b859894e9d3a4cfe0c194738ca60a5747a0ace6b5dc8786c28825f257b123
-
SHA512
a3fb03ef9a642d4d024d7979a98cf3d34670988648e37c0ce93376dcec59aca3121e24d0e46d81bcab444ce7d9d6e4ba43004146bcc43246793696d7628d51bd
-
SSDEEP
24576:QAFbBbDZg8bjv4zk1iMuGaHknfPBAuGY+DsWZya:xPZ2vMuGasfPBeCWZ7
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1