General
-
Target
ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
-
Size
49KB
-
Sample
241121-m9sxws1qa1
-
MD5
718cb27afcc862a09f8275b7e738be09
-
SHA1
38e11449118b1b54a44a1a09b40ea7547103ad8c
-
SHA256
ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
-
SHA512
616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67
-
SSDEEP
768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV
Static task
static1
Behavioral task
behavioral1
Sample
ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7772
13.71.91.225:7772
Sapr6UBSh6DxjMnP
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
telegram
https://api.telegram.org/bot7585343577:AAHgS-QNhULHIXmK3EKIXWuMP2uRNZpJjd8/sendMessage?chat_id=5424396760
Targets
-
-
Target
ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
-
Size
49KB
-
MD5
718cb27afcc862a09f8275b7e738be09
-
SHA1
38e11449118b1b54a44a1a09b40ea7547103ad8c
-
SHA256
ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb
-
SHA512
616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67
-
SSDEEP
768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-