General
-
Target
nixware crack .exe
-
Size
41KB
-
Sample
241120-w1nq9azhkb
-
MD5
c80090db736246d069fb59e82ac0a9b3
-
SHA1
5d2aa76651ee1c9ff47be57750f9cb9f1ea71082
-
SHA256
767ecfa3b914e4baa623bb8318f6aa946b47e134fc72633d4308a57a1e80762b
-
SHA512
9d84a6745bb1fbd9bdf68a64ce9b8fa843ccc7cff37113d140771147375afe760996a7150f68fc87caaf80d0dd8f0acbe395098415368db3373d6d77ad0a8634
-
SSDEEP
768:ahvGkOK5lJMU1BaeECAr43M4fJF5Pa9p+Ay6iOwhO3/mbu:aZzZ5lR147RrcRF49IAy6iOwg+K
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
EMlVcBne6Sb0gEvW
-
Install_directory
%ProgramData%
-
install_file
gamesamse.exe
Targets
-
-
Target
nixware crack .exe
-
Size
41KB
-
MD5
c80090db736246d069fb59e82ac0a9b3
-
SHA1
5d2aa76651ee1c9ff47be57750f9cb9f1ea71082
-
SHA256
767ecfa3b914e4baa623bb8318f6aa946b47e134fc72633d4308a57a1e80762b
-
SHA512
9d84a6745bb1fbd9bdf68a64ce9b8fa843ccc7cff37113d140771147375afe760996a7150f68fc87caaf80d0dd8f0acbe395098415368db3373d6d77ad0a8634
-
SSDEEP
768:ahvGkOK5lJMU1BaeECAr43M4fJF5Pa9p+Ay6iOwhO3/mbu:aZzZ5lR147RrcRF49IAy6iOwg+K
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1