General
-
Target
193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
-
Size
57KB
-
Sample
250122-crex7stlej
-
MD5
ea2155a8336ee66cc394276af9df5a20
-
SHA1
2ab9a7e04d7b2b377f44b6edb7faa603be50f760
-
SHA256
193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16
-
SHA512
b86fdcbd8456d2c670860fe249ebe4d782b584f00fc7100f5e479b2904705226a1231b48b209d2e61561b30eb9caa6e9fd496410776a032d275dd198758ea067
-
SSDEEP
1536:zL4nvOCq2RCXkOlKHI6Or6kIIJ2vb/UEzsoO6LAJPxOsL:zL4o2kiUdWbcqrA1xOsL
Malware Config
Extracted
xworm
192.168.10.71:1177
-
Install_directory
%Public%
-
install_file
USB.exe
Targets
-
-
Target
193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16N.exe
-
Size
57KB
-
MD5
ea2155a8336ee66cc394276af9df5a20
-
SHA1
2ab9a7e04d7b2b377f44b6edb7faa603be50f760
-
SHA256
193c8e2c366ed5f7d32bdf49d685713fec5e980503b4aa59a2cd784726fd3d16
-
SHA512
b86fdcbd8456d2c670860fe249ebe4d782b584f00fc7100f5e479b2904705226a1231b48b209d2e61561b30eb9caa6e9fd496410776a032d275dd198758ea067
-
SSDEEP
1536:zL4nvOCq2RCXkOlKHI6Or6kIIJ2vb/UEzsoO6LAJPxOsL:zL4o2kiUdWbcqrA1xOsL
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-