General

  • Target

    ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb

  • Size

    49KB

  • Sample

    241121-m9sxws1qa1

  • MD5

    718cb27afcc862a09f8275b7e738be09

  • SHA1

    38e11449118b1b54a44a1a09b40ea7547103ad8c

  • SHA256

    ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb

  • SHA512

    616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67

  • SSDEEP

    768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7772

13.71.91.225:7772

Mutex

Sapr6UBSh6DxjMnP

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • telegram

    https://api.telegram.org/bot7585343577:AAHgS-QNhULHIXmK3EKIXWuMP2uRNZpJjd8/sendMessage?chat_id=5424396760

aes.plain

Targets

    • Target

      ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb

    • Size

      49KB

    • MD5

      718cb27afcc862a09f8275b7e738be09

    • SHA1

      38e11449118b1b54a44a1a09b40ea7547103ad8c

    • SHA256

      ecebefa7efb2e6058bfcf6368b5abac893aec2092c2c975bc40dedf6869f4ebb

    • SHA512

      616f239bddd665d777bfef42fce0adfd15aecaa2cdd96420ac9421c1589b08a75959a5539f8de9ef689a9826c8aa583ec1ff2401ac736232f84968b5a922ff67

    • SSDEEP

      768:NPcxLY8x6plvTQRbglW0Lw1MTHWpC+eJsEYWgh8/XyizR1yg5LhtOMlAcqDD9uer:RrDVTcTvOCugqXyIug5PwJqwV

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks