Overview

overview

10

Static

static

3

LoaverV1.2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LoaverV1.2.exe

  • Size

    3.8MB

  • Sample

    250119-ydk3ystjhr

  • MD5

    f44f322db262c3e905e70be9d73979fe

  • SHA1

    23d5e5291e707599ffce178fdb8fa41f9ea34765

  • SHA256

    8239e02a905f4bc9df11e1ed7e47bfb30dcf7913bb41ec4c438356b2c2c97f29

  • SHA512

    a2e66bedad96ed84c13e1605bc23905d1ba4397ed77daffa53b95b235b25810c2e727147a8dfaeeb3d4667feaedb4ab920400572bfa777617e6b5db515036864

  • SSDEEP

    98304:1ObtgYGzZZIzM2dVLKTLLvjNUYGvY34S87EwDB31Ntvn/nf5:1OeYGKxVLKTLFUFYISmP11Np/nf5

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

gold-blackberry.gl.at.ply.gg:17955

Mutex

94BeBAD1qG7r5xia

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Targets

    • Target

      LoaverV1.2.exe

    • Size

      3.8MB

    • MD5

      f44f322db262c3e905e70be9d73979fe

    • SHA1

      23d5e5291e707599ffce178fdb8fa41f9ea34765

    • SHA256

      8239e02a905f4bc9df11e1ed7e47bfb30dcf7913bb41ec4c438356b2c2c97f29

    • SHA512

      a2e66bedad96ed84c13e1605bc23905d1ba4397ed77daffa53b95b235b25810c2e727147a8dfaeeb3d4667feaedb4ab920400572bfa777617e6b5db515036864

    • SSDEEP

      98304:1ObtgYGzZZIzM2dVLKTLLvjNUYGvY34S87EwDB31Ntvn/nf5:1OeYGKxVLKTLFUFYISmP11Np/nf5

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks