General
-
Target
Xeno.exe
-
Size
36KB
-
Sample
250120-xgh74atlbt
-
MD5
732dadd84533cd1638d710f431788456
-
SHA1
0c26e4a866f531056187cb49c129dfa6fd48f517
-
SHA256
906d56dada15af2cd0f497da8ca1b4d03ebd03c8d389925b21fd3a331b4f25bf
-
SHA512
6783a841bf881ede26be331a032584bf78f1d93a2963dde2836b3c7c2c127c31c778ded40d95b30d5a14ff4afa194403c544d6fbb26c7468ad215cb9d8fe3234
-
SSDEEP
768:qMr+VtK66pUb56RJR2umOe6W4oJ5Fyw99VPq6KO/hEy4VJS:qy+P6pUb56Ruuu6GTFr99Jq6KO/OjJS
Malware Config
Extracted
xworm
5.0
february-surrey.gl.at.ply.gg:7000
M6UqD69FyiepuCHR
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Xeno.exe
-
Size
36KB
-
MD5
732dadd84533cd1638d710f431788456
-
SHA1
0c26e4a866f531056187cb49c129dfa6fd48f517
-
SHA256
906d56dada15af2cd0f497da8ca1b4d03ebd03c8d389925b21fd3a331b4f25bf
-
SHA512
6783a841bf881ede26be331a032584bf78f1d93a2963dde2836b3c7c2c127c31c778ded40d95b30d5a14ff4afa194403c544d6fbb26c7468ad215cb9d8fe3234
-
SSDEEP
768:qMr+VtK66pUb56RJR2umOe6W4oJ5Fyw99VPq6KO/hEy4VJS:qy+P6pUb56Ruuu6GTFr99Jq6KO/OjJS
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1