General
-
Target
nigger.exe
-
Size
64KB
-
Sample
250119-zd59kavlfs
-
MD5
6f8774e5839ed8ed21449f097122f0d9
-
SHA1
666790bd8f79903fcb4788ed3ef6552bf2d7c340
-
SHA256
978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9
-
SHA512
9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53
-
SSDEEP
1536:yP2rvEPQLEMlRGvqzRXJ69b3XhNQpzO862MO1fQKvixfav:yP2rv8GTx9569b3kpuO1fQ5av
Malware Config
Extracted
xworm
memory-lottery.gl.at.ply.gg:4444
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
nigger.exe
-
Size
64KB
-
MD5
6f8774e5839ed8ed21449f097122f0d9
-
SHA1
666790bd8f79903fcb4788ed3ef6552bf2d7c340
-
SHA256
978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9
-
SHA512
9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53
-
SSDEEP
1536:yP2rvEPQLEMlRGvqzRXJ69b3XhNQpzO862MO1fQKvixfav:yP2rv8GTx9569b3kpuO1fQ5av
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1