General

  • Target

    spoofertest.exe

  • Size

    200KB

  • Sample

    241230-r76heszphx

  • MD5

    24b58306d1368c2b0143f75e8678dca1

  • SHA1

    6a454149d3c6b2cd26f61c9a6045a9e5c0145318

  • SHA256

    5c85c8dce4fb146cb5d80c37bd895f57f898d5e06c1720070e8b2658413a10a9

  • SHA512

    55ab4eca471411a38fc666155ee120f0e7d9239bd2c1446ca060e0543ef02df105bafe276248445f1243633d72ea16f3981ad847844b9f55d318045f9ce78d7e

  • SSDEEP

    3072:Nk2FC2QG4C/67LcwObG5+bTuFNOsniku4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv9:q2FRwbwbKugVqwlL

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      spoofertest.exe

    • Size

      200KB

    • MD5

      24b58306d1368c2b0143f75e8678dca1

    • SHA1

      6a454149d3c6b2cd26f61c9a6045a9e5c0145318

    • SHA256

      5c85c8dce4fb146cb5d80c37bd895f57f898d5e06c1720070e8b2658413a10a9

    • SHA512

      55ab4eca471411a38fc666155ee120f0e7d9239bd2c1446ca060e0543ef02df105bafe276248445f1243633d72ea16f3981ad847844b9f55d318045f9ce78d7e

    • SSDEEP

      3072:Nk2FC2QG4C/67LcwObG5+bTuFNOsniku4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv9:q2FRwbwbKugVqwlL

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks