General
-
Target
8e70da39f632e60160cc39e7960fe8026c07fe1556c3248a8fe94bdd738f6f69.exe
-
Size
867KB
-
Sample
241118-tzsygazgld
-
MD5
bed3b5ce30d2d279d91945bf705477bc
-
SHA1
75c2cdb2cb3f9632aa1d6ec42a4ee5a5a995198f
-
SHA256
8e70da39f632e60160cc39e7960fe8026c07fe1556c3248a8fe94bdd738f6f69
-
SHA512
87415c6be1238aa20dfcadadd17f63e7651f552292e36f32ed8e29e36346433346b29447db75eb935316692b95d85e7b0e8b22d1f8997485a67e997e29f36b79
-
SSDEEP
12288:i98NVBjvwSRz04lj4k/GG6yY5adl8M64mzx8B/wmtilK6yEbx9H:vV9vT5lj4MGdyY5SWv4mM/eyErH
Malware Config
Extracted
xworm
45.84.199.152:7000
-
Install_directory
%Public%
-
install_file
Msedge.exe
Targets
-
-
Target
8e70da39f632e60160cc39e7960fe8026c07fe1556c3248a8fe94bdd738f6f69.exe
-
Size
867KB
-
MD5
bed3b5ce30d2d279d91945bf705477bc
-
SHA1
75c2cdb2cb3f9632aa1d6ec42a4ee5a5a995198f
-
SHA256
8e70da39f632e60160cc39e7960fe8026c07fe1556c3248a8fe94bdd738f6f69
-
SHA512
87415c6be1238aa20dfcadadd17f63e7651f552292e36f32ed8e29e36346433346b29447db75eb935316692b95d85e7b0e8b22d1f8997485a67e997e29f36b79
-
SSDEEP
12288:i98NVBjvwSRz04lj4k/GG6yY5adl8M64mzx8B/wmtilK6yEbx9H:vV9vT5lj4MGdyY5SWv4mM/eyErH
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-