General
-
Target
940e9575b88e65925a1022c976cc1beb0a75c42d7a956a7b6e14bd7d48038a2b
-
Size
70KB
-
Sample
241119-xs3e4s1drl
-
MD5
fc2adb95856fbd7850ffe80550556c84
-
SHA1
f763d8ebb60a91ebe560ad8bb1ebd26200c60311
-
SHA256
940e9575b88e65925a1022c976cc1beb0a75c42d7a956a7b6e14bd7d48038a2b
-
SHA512
895b3be411cc1cb2e4cd4561e40d20b95c6ae0292f2c8698ce0225a092a4a2320be4a2f5360f3010bca423ac4b8446dc8b637a9a2d2452e483cf82602c21d3d1
-
SSDEEP
1536:TLsxzl3saJFUumj5X6UWQbuoZhsWlQf6AeOqzTD23:TLspxs+UumvvbjdQaOq/K3
Malware Config
Extracted
xworm
different-da.gl.at.ply.gg:46568
-
Install_directory
%AppData%
-
install_file
System.exe
-
telegram
https://api.telegram.org/bot7872237749:AAF0xKTawqNrsH-1Rsq1CxgAFFTtw942WZA/sendMessage?chat_id=867995626
Targets
-
-
Target
940e9575b88e65925a1022c976cc1beb0a75c42d7a956a7b6e14bd7d48038a2b
-
Size
70KB
-
MD5
fc2adb95856fbd7850ffe80550556c84
-
SHA1
f763d8ebb60a91ebe560ad8bb1ebd26200c60311
-
SHA256
940e9575b88e65925a1022c976cc1beb0a75c42d7a956a7b6e14bd7d48038a2b
-
SHA512
895b3be411cc1cb2e4cd4561e40d20b95c6ae0292f2c8698ce0225a092a4a2320be4a2f5360f3010bca423ac4b8446dc8b637a9a2d2452e483cf82602c21d3d1
-
SSDEEP
1536:TLsxzl3saJFUumj5X6UWQbuoZhsWlQf6AeOqzTD23:TLspxs+UumvvbjdQaOq/K3
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1