General
-
Target
Admin_Tools.exe
-
Size
11.9MB
-
Sample
241120-fz1fna1qhx
-
MD5
ba73b05ff9b01c18bf49fa758d75cee4
-
SHA1
b1166f33c0928fe811a735fb4b3b64eb70b8e0c0
-
SHA256
4856b6b56eb3041a82eb27960edade517b4887278b634ef8e8a8af492c42565b
-
SHA512
7cc0a3a100d0c70aa4e5bf6d363acb6fde489bcfbf5762afe9edb5aa636558671bb26fee2af1e1f26e1c34fc19a649b620b72c398d4424a5663d9cbdae5ce61a
-
SSDEEP
196608:+yvlodBDq/LLsnXe0Xb3Qsu3Sjd5+s8VINpkGNSN1Jyci9UcpLl5xJkNlulQqPR/:+nu/aXlgJCjd5I0Xo1Jy0Blulj1f
Malware Config
Extracted
xworm
5.0
soon-console.gl.at.ply.gg:60222
127.0.0.1:7000
uv0uHPhnJRlnE2ie
-
Install_directory
%AppData%
-
install_file
Windows.exe
Targets
-
-
Target
Admin_Tools.exe
-
Size
11.9MB
-
MD5
ba73b05ff9b01c18bf49fa758d75cee4
-
SHA1
b1166f33c0928fe811a735fb4b3b64eb70b8e0c0
-
SHA256
4856b6b56eb3041a82eb27960edade517b4887278b634ef8e8a8af492c42565b
-
SHA512
7cc0a3a100d0c70aa4e5bf6d363acb6fde489bcfbf5762afe9edb5aa636558671bb26fee2af1e1f26e1c34fc19a649b620b72c398d4424a5663d9cbdae5ce61a
-
SSDEEP
196608:+yvlodBDq/LLsnXe0Xb3Qsu3Sjd5+s8VINpkGNSN1Jyci9UcpLl5xJkNlulQqPR/:+nu/aXlgJCjd5I0Xo1Jy0Blulj1f
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-