General

  • Target

    XWormV3.1.exe

  • Size

    7.0MB

  • Sample

    241204-a8xhgasrhz

  • MD5

    3d7099d20fa4b010872bdeafc7ef2ad2

  • SHA1

    112a5be4630cf8cb237d6c121097119e0484f4e2

  • SHA256

    4748cc63e9e800f3c085fd3760a5a780d4c44a617b727989d71cc0cd79ddee6c

  • SHA512

    bfc463256c1ec30de6671a121365431d61ecfee04af108faf2bcef5319805611453d46afbdce8cb3c622686cabd1786b5d982982ca9ab2af600c2b74252a65ce

  • SSDEEP

    196608:7nWqruP0pU8UkYzHK1Yql3acqzXjjwWdYxQZWK+oP3YX6p:7n3U9Fz4Yg3acqzXjEIYxQZWQvYX6p

Malware Config

Extracted

Family

xworm

Version

3.1

C2

next-screening.at.ply.gg:48590

Attributes
  • Install_directory

    %AppData%

  • install_file

    chrome.exe

Targets

    • Target

      XWormV3.1.exe

    • Size

      7.0MB

    • MD5

      3d7099d20fa4b010872bdeafc7ef2ad2

    • SHA1

      112a5be4630cf8cb237d6c121097119e0484f4e2

    • SHA256

      4748cc63e9e800f3c085fd3760a5a780d4c44a617b727989d71cc0cd79ddee6c

    • SHA512

      bfc463256c1ec30de6671a121365431d61ecfee04af108faf2bcef5319805611453d46afbdce8cb3c622686cabd1786b5d982982ca9ab2af600c2b74252a65ce

    • SSDEEP

      196608:7nWqruP0pU8UkYzHK1Yql3acqzXjjwWdYxQZWK+oP3YX6p:7n3U9Fz4Yg3acqzXjEIYxQZWQvYX6p

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks