General
-
Target
5336a5cc2928e73b44cae3e7898fbd906e564ca2537453bd5c8d5e48f9abb6c6
-
Size
200KB
-
Sample
241120-2yctvszlgn
-
MD5
8610f3e5e6721f18e59023147a1d9858
-
SHA1
53d3083d2b503d4d32d813f6258645d2de743cd9
-
SHA256
5336a5cc2928e73b44cae3e7898fbd906e564ca2537453bd5c8d5e48f9abb6c6
-
SHA512
ff64e1681cad0dc82209cf5b50d4be1857df917f818bf0b87ff171622105a51e77ef617d9c36088a13c1cddb14c76aebb61089d442568acdfffe3dfc6ec5174e
-
SSDEEP
3072:7wnJrBdif+bquaw5m+NxxlO7y2JQTKalOt2+UY9Qqsc35SpiVs0vNwu38GkVbEax:7sRBdRbRD7B2q3zEd
Malware Config
Extracted
xworm
parties-days.gl.at.ply.gg:53684
-
Install_directory
%AppData%
-
install_file
KRX Client.exe
Targets
-
-
Target
5336a5cc2928e73b44cae3e7898fbd906e564ca2537453bd5c8d5e48f9abb6c6
-
Size
200KB
-
MD5
8610f3e5e6721f18e59023147a1d9858
-
SHA1
53d3083d2b503d4d32d813f6258645d2de743cd9
-
SHA256
5336a5cc2928e73b44cae3e7898fbd906e564ca2537453bd5c8d5e48f9abb6c6
-
SHA512
ff64e1681cad0dc82209cf5b50d4be1857df917f818bf0b87ff171622105a51e77ef617d9c36088a13c1cddb14c76aebb61089d442568acdfffe3dfc6ec5174e
-
SSDEEP
3072:7wnJrBdif+bquaw5m+NxxlO7y2JQTKalOt2+UY9Qqsc35SpiVs0vNwu38GkVbEax:7sRBdRbRD7B2q3zEd
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-