General
-
Target
XClient.exe
-
Size
78KB
-
Sample
250120-z46m1szles
-
MD5
f304f5522655bcc6b8cd42e8cc5257b2
-
SHA1
348c7528cdf90e81ed68b8539d9992da130880ec
-
SHA256
929680b8659e4c1c1211bfa32862fe648a37a030136f6d4e3d343531582f60a1
-
SHA512
f4e3131a9caed15e84032c6ff3ae5862340596c7759b52782b8816f4fd5b26335d0a48ab9ad715158dbc0a7679cecfec869453292aca23851ad569674959274c
-
SSDEEP
1536:yXXX4+cmalnBwczCKH6eIPYDlgSvLJahib3nPtCbEiUv5my6oOf/OCc2en+C:yIGQnBwI7aN2nvNb3nwEiUB0f/O/l+C
Malware Config
Extracted
xworm
blood-pattern.gl.at.ply.gg:24558
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020
Targets
-
-
Target
XClient.exe
-
Size
78KB
-
MD5
f304f5522655bcc6b8cd42e8cc5257b2
-
SHA1
348c7528cdf90e81ed68b8539d9992da130880ec
-
SHA256
929680b8659e4c1c1211bfa32862fe648a37a030136f6d4e3d343531582f60a1
-
SHA512
f4e3131a9caed15e84032c6ff3ae5862340596c7759b52782b8816f4fd5b26335d0a48ab9ad715158dbc0a7679cecfec869453292aca23851ad569674959274c
-
SSDEEP
1536:yXXX4+cmalnBwczCKH6eIPYDlgSvLJahib3nPtCbEiUv5my6oOf/OCc2en+C:yIGQnBwI7aN2nvNb3nwEiUB0f/O/l+C
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1