Overview

overview

10

Static

static

3

steam.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    steam.exe

  • Size

    64KB

  • Sample

    250120-arqzcssrhj

  • MD5

    931304a01acc611b8e637e4056eacf1a

  • SHA1

    621327eb10dc7a3b4ea5f4f8eacde198a1b83eda

  • SHA256

    501811083cd4441914057188240e81b0c07ee52da841be5b48439b23dd1c78b7

  • SHA512

    3aba4030c25a9b90e2d5ebaafed9efd42314d60e4c5dc374a14ebb10788777372301129ccb92484e0d0ee188637ba8aa892e200b7c9f73e77cb0d8916ebf8b94

  • SSDEEP

    1536:HtGW7tT67jrizXqMRJtjYtfEWPrfPh4bZKtpe/:0WpmLi+MOPr+bZ2pe/

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

25.ip.gl.ply.gg:22709

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Targets

    • Target

      steam.exe

    • Size

      64KB

    • MD5

      931304a01acc611b8e637e4056eacf1a

    • SHA1

      621327eb10dc7a3b4ea5f4f8eacde198a1b83eda

    • SHA256

      501811083cd4441914057188240e81b0c07ee52da841be5b48439b23dd1c78b7

    • SHA512

      3aba4030c25a9b90e2d5ebaafed9efd42314d60e4c5dc374a14ebb10788777372301129ccb92484e0d0ee188637ba8aa892e200b7c9f73e77cb0d8916ebf8b94

    • SSDEEP

      1536:HtGW7tT67jrizXqMRJtjYtfEWPrfPh4bZKtpe/:0WpmLi+MOPr+bZ2pe/

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks