General
-
Target
blessnig.exe
-
Size
70KB
-
Sample
250121-pm3jxstjhy
-
MD5
e8f1d07ff83c5c50eed5ed71c6f0a349
-
SHA1
77fb738a98dbcd711438a55aa6afb34b0a61d503
-
SHA256
cc28640de6594899debc7afeccd103550c9925c35fb6ac86503acb80169d6f2c
-
SHA512
e1509708747273de776771b7fbde835a1a23434ede474e861d12b8253595406ad3a1427da3deff3ac2965b4f6e02748d67bc8630a460779587a2c3152dad8acd
-
SSDEEP
1536:Cz0Jl56GYl8zQ8kk9WxDS8jN4WUvK9b+ORkEQlq6R+2OCOgrzn+C:Tb6GI8zQTk9OO8+WL9b+tES+2OCOgf+C
Malware Config
Extracted
xworm
blood-pattern.gl.at.ply.gg:24558
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020
Targets
-
-
Target
blessnig.exe
-
Size
70KB
-
MD5
e8f1d07ff83c5c50eed5ed71c6f0a349
-
SHA1
77fb738a98dbcd711438a55aa6afb34b0a61d503
-
SHA256
cc28640de6594899debc7afeccd103550c9925c35fb6ac86503acb80169d6f2c
-
SHA512
e1509708747273de776771b7fbde835a1a23434ede474e861d12b8253595406ad3a1427da3deff3ac2965b4f6e02748d67bc8630a460779587a2c3152dad8acd
-
SSDEEP
1536:Cz0Jl56GYl8zQ8kk9WxDS8jN4WUvK9b+ORkEQlq6R+2OCOgrzn+C:Tb6GI8zQTk9OO8+WL9b+tES+2OCOgf+C
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1