General
-
Target
c41835a324bf05ba0c3546f763339709871b44b2746e3f812cea3fb589a9b0e1.exe
-
Size
85KB
-
Sample
241203-15v4casnfm
-
MD5
06a82a27a4cae4c287b6b62bd5f786b0
-
SHA1
df3f0ca0d039590a97f0753e55d4b9e8d97639bc
-
SHA256
c41835a324bf05ba0c3546f763339709871b44b2746e3f812cea3fb589a9b0e1
-
SHA512
6a6833efefe1af796010df6b676323752b289d0d39c8c47e4e95887744e24582df513e23ca1a887f0163afcdccbc8c9fe54aa4e4bec79552aca457f6467a8221
-
SSDEEP
1536:1MM5PNnouB22SGS23lCAdp5bMrle/jGb6cs67ObguQmC6Ow22:dc2CcCAdjbM6DKObguQmCX2
Malware Config
Extracted
xworm
127.0.0.1:2122
organizations-theta.gl.at.ply.gg:2122
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
c41835a324bf05ba0c3546f763339709871b44b2746e3f812cea3fb589a9b0e1.exe
-
Size
85KB
-
MD5
06a82a27a4cae4c287b6b62bd5f786b0
-
SHA1
df3f0ca0d039590a97f0753e55d4b9e8d97639bc
-
SHA256
c41835a324bf05ba0c3546f763339709871b44b2746e3f812cea3fb589a9b0e1
-
SHA512
6a6833efefe1af796010df6b676323752b289d0d39c8c47e4e95887744e24582df513e23ca1a887f0163afcdccbc8c9fe54aa4e4bec79552aca457f6467a8221
-
SSDEEP
1536:1MM5PNnouB22SGS23lCAdp5bMrle/jGb6cs67ObguQmC6Ow22:dc2CcCAdjbM6DKObguQmCX2
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-