General
-
Target
wow.exe
-
Size
14.8MB
-
Sample
241217-y12zzsxqcl
-
MD5
b2c17e4aaa1ab07e2be2c6e08120c7fe
-
SHA1
67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
-
SHA256
d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
-
SHA512
5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223
-
SSDEEP
393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT
Behavioral task
behavioral1
Sample
wow.exe
Resource
win11-20241007-en
Malware Config
Extracted
xworm
5.0
lohoainam2008-36048.portmap.io:36048
-
Install_directory
%AppData%
-
install_file
Setup.exe
-
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098
Extracted
metasploit
windows/reverse_tcp
147.185.221.19:58142
Extracted
xworm
127.0.0.1:48990
147.185.221.22:48990
-
Install_directory
%Userprofile%
-
install_file
svchostt.exe
Extracted
xworm
3.0
soon-lp.at.ply.gg:17209
-
Install_directory
%AppData%
-
install_file
NjRat Dangerous.exe
Extracted
asyncrat
| CRACKED BY https://t.me/xworm_v2
SolaraFake
anyone-blogging.gl.at.ply.gg:22284
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Windows.exe
-
install_folder
%Temp%
Extracted
asyncrat
0.5.8
Default
14.243.221.170:3322
ynBzTukwLg8N
-
delay
3
-
install
false
-
install_file
Clean.bat
-
install_folder
%Temp%
Extracted
stealc
Line
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
wow.exe
-
Size
14.8MB
-
MD5
b2c17e4aaa1ab07e2be2c6e08120c7fe
-
SHA1
67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
-
SHA256
d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
-
SHA512
5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223
-
SSDEEP
393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT
-
Asyncrat family
-
Detect Xworm Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Stealc family
-
Xworm family
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1