General
-
Target
.exe
-
Size
90KB
-
Sample
241119-sbaasayamk
-
MD5
b5e9d925a5cbc599a04462e05001f790
-
SHA1
599ab617d497cb99149ac5168c0cab402d5874d2
-
SHA256
07712414bdc55e8b60f9459cd358a09fed23c017a2ad96f641c59ebab40d8995
-
SHA512
e85a47fd15ec65fd1a4b59c42a431cebbace69596f131729e4467852e14e375810a10950f4124899c2251565acc41541033062b3f08d4e1f3f09a1960b6cd367
-
SSDEEP
1536:eCCCCCU1QhJtr2u5yzzRHdc9RkR3598k6Tv9aHwAZhVnudYsYxAOltnMo:Z9yzzVaRJXTv9gwUOE2mB
Malware Config
Extracted
xworm
45.141.27.248:7777
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
.exe
-
Size
90KB
-
MD5
b5e9d925a5cbc599a04462e05001f790
-
SHA1
599ab617d497cb99149ac5168c0cab402d5874d2
-
SHA256
07712414bdc55e8b60f9459cd358a09fed23c017a2ad96f641c59ebab40d8995
-
SHA512
e85a47fd15ec65fd1a4b59c42a431cebbace69596f131729e4467852e14e375810a10950f4124899c2251565acc41541033062b3f08d4e1f3f09a1960b6cd367
-
SSDEEP
1536:eCCCCCU1QhJtr2u5yzzRHdc9RkR3598k6Tv9aHwAZhVnudYsYxAOltnMo:Z9yzzVaRJXTv9gwUOE2mB
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1