General
-
Target
working one ig.exe
-
Size
89KB
-
Sample
250122-h8lpzavmdx
-
MD5
3eca2005bcc7a67d5f3b3a46e45fd11e
-
SHA1
8b181cf225fe7aff9799260bd25805e8b7849a90
-
SHA256
18e899d8d15d30164b697741a04ed67fa00f377047f63555dfd4231145c6f3b2
-
SHA512
12a3f62d14628a5ad322dd16193be748eeb8ed8f27f641e9be011344141528576485fa4e3d818a3a2b699949aa415dd6ca0cd1fca3ab2b8a2100f45ae4a05678
-
SSDEEP
1536:zLgBUitSA/Ua3ArtXqDnz3p53V879bqSWTiDrVJe44706g7P5RAO+x/ePO/sn+Y:zDxf1aPXa79bqfFRy7xRAO8eP9+Y
Malware Config
Extracted
xworm
publication-glossary.gl.at.ply.gg:4444
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7704029346:AAHPre1lXQa0UfPCpOUXJZ9UXA9mFxvH4Gk/sendMessage?chat_id=7590668020
Targets
-
-
Target
working one ig.exe
-
Size
89KB
-
MD5
3eca2005bcc7a67d5f3b3a46e45fd11e
-
SHA1
8b181cf225fe7aff9799260bd25805e8b7849a90
-
SHA256
18e899d8d15d30164b697741a04ed67fa00f377047f63555dfd4231145c6f3b2
-
SHA512
12a3f62d14628a5ad322dd16193be748eeb8ed8f27f641e9be011344141528576485fa4e3d818a3a2b699949aa415dd6ca0cd1fca3ab2b8a2100f45ae4a05678
-
SSDEEP
1536:zLgBUitSA/Ua3ArtXqDnz3p53V879bqSWTiDrVJe44706g7P5RAO+x/ePO/sn+Y:zDxf1aPXa79bqfFRy7xRAO8eP9+Y
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1