General
-
Target
Wave.exe_stage5
-
Size
77KB
-
Sample
250113-p28dqavmer
-
MD5
0967dbc4632642ee26d9d73447b7734e
-
SHA1
e40de079c23265f8cf23c88724a83efad33eb09a
-
SHA256
26f1a58af1a708ce295d228e1ce527eb336bdcee5b074d893b9476e5ca4792fd
-
SHA512
5b4d220499926259e480b90fb0b705d4e876704c98b96002dce745731e5293e693dcaa6453c20b076af041edca90561e5fc9f9e906876129921bb86d684acb00
-
SSDEEP
1536:0+xnzzJ0BslP/Q6J1gbH7fyHjcM6ORX9EwSbAh/CEN6y6mgOBmGj6n+B:fmslafJOKbAkG8OBmGE+B
Malware Config
Extracted
xworm
myskibiditoilet.zapto.org:42662
-
Install_directory
%AppData%
-
install_file
RuntimeBroker.exe
-
telegram
https://api.telegram.org/bot8006038208:AAGxaRzh6MiD_RioJtUt9iA5WVfeKxZwiu4/sendMessage?chat_id=6338341120
Extracted
latentbot
myskibiditoilet.zapto.org
Targets
-
-
Target
Wave.exe_stage5
-
Size
77KB
-
MD5
0967dbc4632642ee26d9d73447b7734e
-
SHA1
e40de079c23265f8cf23c88724a83efad33eb09a
-
SHA256
26f1a58af1a708ce295d228e1ce527eb336bdcee5b074d893b9476e5ca4792fd
-
SHA512
5b4d220499926259e480b90fb0b705d4e876704c98b96002dce745731e5293e693dcaa6453c20b076af041edca90561e5fc9f9e906876129921bb86d684acb00
-
SSDEEP
1536:0+xnzzJ0BslP/Q6J1gbH7fyHjcM6ORX9EwSbAh/CEN6y6mgOBmGj6n+B:fmslafJOKbAkG8OBmGE+B
Score10/10-
Detect Xworm Payload
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Latentbot family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1