General
-
Target
gas.exe
-
Size
210KB
-
Sample
250122-2lzg4ayrhv
-
MD5
90c98d9fe169b720fe06cd53fbc60623
-
SHA1
b0bdcccd5977a95ba11b77907c1c02712c4bd044
-
SHA256
251eac0114f46e9f5ff05bfba18e27b9efc1845881829842d7ea655b717bcbd6
-
SHA512
6e1ff118479697b48884abb58b99457634305bd53b0a834d08806fc3daa16eedb9a2c6d8c76fcdbd52f6d2a4d9fcbf76a667030128f0ceb6eedd0ffb190b95ca
-
SSDEEP
3072:jDczFJ9ZTOC/h8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnP:0RJ9vUhcX7elbKTuq9bfF/H9d9n
Malware Config
Extracted
xworm
5.0
Z8drePphw8vlIJAK
-
Install_directory
%AppData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/4YfEusCJ
Targets
-
-
Target
gas.exe
-
Size
210KB
-
MD5
90c98d9fe169b720fe06cd53fbc60623
-
SHA1
b0bdcccd5977a95ba11b77907c1c02712c4bd044
-
SHA256
251eac0114f46e9f5ff05bfba18e27b9efc1845881829842d7ea655b717bcbd6
-
SHA512
6e1ff118479697b48884abb58b99457634305bd53b0a834d08806fc3daa16eedb9a2c6d8c76fcdbd52f6d2a4d9fcbf76a667030128f0ceb6eedd0ffb190b95ca
-
SSDEEP
3072:jDczFJ9ZTOC/h8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnP:0RJ9vUhcX7elbKTuq9bfF/H9d9n
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1