General

  • Target

    Network.exe

  • Size

    91KB

  • Sample

    241114-qtg28szdrc

  • MD5

    e14da59f36f995b0a212775074e25ce7

  • SHA1

    574ba408726a83ec63a37782cc4e0cf2f009dabd

  • SHA256

    19fcfef4db315e0d0a65bb7f13b35503559a00f2fb83298449fd719075f32c45

  • SHA512

    6db0b5a34ca9e9e234b841cfb44bc5b5e9c3fea2585634702b8bfcf44af947e48b5c2ac4ec8d532b84b0c7c6aec6ea1b1155f5a75b7fdbe363b1eb2370c63b21

  • SSDEEP

    1536:T+xqTU3nmojQskipBeEQPs0BoBONEX2J4wBMPjdbqYDK/z5iEcd64qLpt6x3OQ3q:TtTU3nmojQsk9PoXs4wBMBbqYU53gGtL

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    NetworkEXP.exe

  • pastebin_url

    https://pastebin.com/raw/RgYXYwVV

  • telegram

    https://api.telegram.org/bot6554307825:AAFiCM4YZlx7R1yb0K0d5pqenjePI2Nljfc/sendMessage?chat_id=6077384108

Targets

    • Target

      Network.exe

    • Size

      91KB

    • MD5

      e14da59f36f995b0a212775074e25ce7

    • SHA1

      574ba408726a83ec63a37782cc4e0cf2f009dabd

    • SHA256

      19fcfef4db315e0d0a65bb7f13b35503559a00f2fb83298449fd719075f32c45

    • SHA512

      6db0b5a34ca9e9e234b841cfb44bc5b5e9c3fea2585634702b8bfcf44af947e48b5c2ac4ec8d532b84b0c7c6aec6ea1b1155f5a75b7fdbe363b1eb2370c63b21

    • SSDEEP

      1536:T+xqTU3nmojQskipBeEQPs0BoBONEX2J4wBMPjdbqYDK/z5iEcd64qLpt6x3OQ3q:TtTU3nmojQsk9PoXs4wBMBbqYU53gGtL

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks