General
-
Target
Skeet.cc crack (111).zip
-
Size
42KB
-
Sample
250121-a4djssxpaj
-
MD5
3884404be3d9a918f4296cc2bd6c8ce3
-
SHA1
279282e436749d6c7947f9b47382cf74d689c21a
-
SHA256
ffef5e5d982b43fcebf2d715da120ab0d661377489410be2925be6a5fe2eab39
-
SHA512
067ced3664263649ceb75757da7e225d0a8ad1b33d08949028887263889d6aeb07a76f2522db9140c0f2096ed51adf885d7f9d5e3940a5e7a635965c57052123
-
SSDEEP
768:wLllI83kg97PdPsBAphaDw23IHJnHtqn8ccuHCMg56p6XXuicbp1:whVXPna2HLq86HCMPp8eicF1
Malware Config
Extracted
xworm
though-genome.gl.at.ply.gg:18385
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
Skeet.cc crack.exe
-
Size
86KB
-
MD5
399fb0aaf37efe3f2181cba3ff35bc2f
-
SHA1
1b34ae1f98d7b153d3a7d121b8749b66ab7a6615
-
SHA256
043310225fc373573c403b4a37011250136715ef166a3fdee2508c2c56e2f967
-
SHA512
2d86524b5377cb3c218810d466501b124b622429dbb21cb965cd32d3c7cb86ee7b752a7fd26388aec9fa945687ece34c6b2f57984aec36179f62c59a5f738cb1
-
SSDEEP
1536:E9pAbUXNstymljWr65CVodMbbls1dg+fRvW6kHONVZ8Y:E9pAbQN9bl4gMsOND3
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1