General
-
Target
42a96a71d61fa31676c36a5e036d87dde899e1197a45c48833b4bfb4770feb01
-
Size
138KB
-
Sample
241203-xgk2paykfs
-
MD5
6f2933da19f4b614e6c8df1b924bfaad
-
SHA1
37080e506a8b1409ed692434dc010a2fd5596078
-
SHA256
42a96a71d61fa31676c36a5e036d87dde899e1197a45c48833b4bfb4770feb01
-
SHA512
bc96d82c6a05d5f6f1d8f9bc9de6dec96622a447abce3abc4d2b34acc0bd99439b5857dc5f7fbf0b59c5f0b0710d24db8d9ec2f00ad34d841e7f6b091c53af1f
-
SSDEEP
3072:1S+h9PGWAIFY9KiFOps83Bz65/M6If+3Js+3JFkKeTnq:1/PlY9axBt25
Malware Config
Extracted
xworm
5.0
takes-sbjct.gl.at.ply.gg:41371
MxqHSXsrqbfmnzhV
-
Install_directory
%AppData%
-
install_file
WindowsLogonIN.exe
Targets
-
-
Target
42a96a71d61fa31676c36a5e036d87dde899e1197a45c48833b4bfb4770feb01
-
Size
138KB
-
MD5
6f2933da19f4b614e6c8df1b924bfaad
-
SHA1
37080e506a8b1409ed692434dc010a2fd5596078
-
SHA256
42a96a71d61fa31676c36a5e036d87dde899e1197a45c48833b4bfb4770feb01
-
SHA512
bc96d82c6a05d5f6f1d8f9bc9de6dec96622a447abce3abc4d2b34acc0bd99439b5857dc5f7fbf0b59c5f0b0710d24db8d9ec2f00ad34d841e7f6b091c53af1f
-
SSDEEP
3072:1S+h9PGWAIFY9KiFOps83Bz65/M6If+3Js+3JFkKeTnq:1/PlY9axBt25
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1