General

  • Target

    changeyourmapin5s.exe

  • Size

    103KB

  • Sample

    241203-t4gq1ayqak

  • MD5

    8544b7a07ac964e9398db5ced02de51f

  • SHA1

    9dd166931a20c364bf91726b19a8c66fc18495e0

  • SHA256

    d75d921b14ef15d53625282a961bfe8815c076c250fc6d06a4d535f4256beecd

  • SHA512

    3f2b24bf952b73954bbc2495423bebef7d44848a76a26a52bfd3521ef330389a81fddf963d3b2e5170a0381900fbc27a0aa900b1d8eea6009a94ec45f1e6c55d

  • SSDEEP

    1536:G0H/ps0R8ZAfDjxRux8iPtCofEJSnknpHQINH+IIdRh8z9z1cQTnr45LpF/9:VRs0YyLasMEgnD8Ib6zRnALpH

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:14333

previous-contests.gl.at.ply.gg:14333

Mutex

GH9VJU0DztsBgWNu

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      changeyourmapin5s.exe

    • Size

      103KB

    • MD5

      8544b7a07ac964e9398db5ced02de51f

    • SHA1

      9dd166931a20c364bf91726b19a8c66fc18495e0

    • SHA256

      d75d921b14ef15d53625282a961bfe8815c076c250fc6d06a4d535f4256beecd

    • SHA512

      3f2b24bf952b73954bbc2495423bebef7d44848a76a26a52bfd3521ef330389a81fddf963d3b2e5170a0381900fbc27a0aa900b1d8eea6009a94ec45f1e6c55d

    • SSDEEP

      1536:G0H/ps0R8ZAfDjxRux8iPtCofEJSnknpHQINH+IIdRh8z9z1cQTnr45LpF/9:VRs0YyLasMEgnD8Ib6zRnALpH

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks