General

  • Target

    XwormLoader.exe

  • Size

    151KB

  • Sample

    241230-qv2g9syngt

  • MD5

    bdd436da273b69bc950ff2209590102b

  • SHA1

    8427c60267ff5cf6bf46f4fb4b1eb7c950606f3d

  • SHA256

    e52a70f48da99632fdb59508a82dd139df9b33fc0eadf594c2e83458bc595e3b

  • SHA512

    2c6ab3fa0335b151a80f62d72f525473630ebddcf22c96717d2c681d99693d371d415a9a4a8bf190a80f1a7bd59a08a1610167468987d4090b2d0f31dc65503d

  • SSDEEP

    3072:pm4xW6xSsVbIa+30Ou0WRItVMzLv4Pstg:pTPSmbM3M5ItVM

Malware Config

Extracted

Family

xworm

C2

still-sponsored.gl.at.ply.gg:53486

Attributes
  • Install_directory

    %AppData%

  • install_file

    BensGaming.exe

Targets

    • Target

      XwormLoader.exe

    • Size

      151KB

    • MD5

      bdd436da273b69bc950ff2209590102b

    • SHA1

      8427c60267ff5cf6bf46f4fb4b1eb7c950606f3d

    • SHA256

      e52a70f48da99632fdb59508a82dd139df9b33fc0eadf594c2e83458bc595e3b

    • SHA512

      2c6ab3fa0335b151a80f62d72f525473630ebddcf22c96717d2c681d99693d371d415a9a4a8bf190a80f1a7bd59a08a1610167468987d4090b2d0f31dc65503d

    • SSDEEP

      3072:pm4xW6xSsVbIa+30Ou0WRItVMzLv4Pstg:pTPSmbM3M5ItVM

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks