Overview

overview

10

Static

static

10

gm.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gm.exe

  • Size

    60KB

  • Sample

    250118-wdwtcazjcv

  • MD5

    f8e80eb256f014dc1a1dcf494f49491e

  • SHA1

    3f8437c9ca5239ea2125aca3456da1f7a0645d66

  • SHA256

    57c78c431dad7a72ab8047b9707f8e740ae4174e253626d494580333226ecb18

  • SHA512

    ee357ddde117a34135201265f20cf3d4235025d1db884142f6a58b99d5bebd4b0bda69d0efc37df4a5d14f079df0a5b08bbcad9b61339dab1aacf355d17e2de8

  • SSDEEP

    1536:KFJjiXMQ4eOJKgZvw6IY+bhxhzRNuOBZXYVFv:KDQR1Q46IY+bhf2OB5YVl

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

poker-dosage.gl.at.ply.gg:10021

Attributes
  • Install_directory

    %AppData%

  • install_file

    RealtekUService86.exe

Targets

    • Target

      gm.exe

    • Size

      60KB

    • MD5

      f8e80eb256f014dc1a1dcf494f49491e

    • SHA1

      3f8437c9ca5239ea2125aca3456da1f7a0645d66

    • SHA256

      57c78c431dad7a72ab8047b9707f8e740ae4174e253626d494580333226ecb18

    • SHA512

      ee357ddde117a34135201265f20cf3d4235025d1db884142f6a58b99d5bebd4b0bda69d0efc37df4a5d14f079df0a5b08bbcad9b61339dab1aacf355d17e2de8

    • SSDEEP

      1536:KFJjiXMQ4eOJKgZvw6IY+bhxhzRNuOBZXYVFv:KDQR1Q46IY+bhf2OB5YVl

    Score
    10/10
    xwormrattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks