General
-
Target
wub_64.exe
-
Size
1.1MB
-
Sample
250123-a358esvldp
-
MD5
3fb29133bba5f76baf2a75d7b177e33c
-
SHA1
b5fce8752562db3bb24ca0c7f8c3c2da73098372
-
SHA256
ed2412eaee0ed2a18411fda373dbf71a90296f5866aec5af55255a487b92af12
-
SHA512
68170e31ba3ece0ee9294f0278bc2cf54be19cd73e80a9b78cc213f327464957f0fbee9aa16781791ed45e57cc107bd4825abc7661ab75df37546576c20cb243
-
SSDEEP
24576:a0euAl7t8FI3YcD7ODKlLo0cKiAwWxd19LW7bXH6sv:tNAl7tN39Hns0cjWxNLW7b36
Malware Config
Extracted
xworm
vshostupdater.duckdns.org:34357
newport1179.duckdns.org:34357
windowsbre.duckdns.org:34357
-
Install_directory
%AppData%
-
install_file
Windows Updater.exe
Targets
-
-
Target
wub_64.exe
-
Size
1.1MB
-
MD5
3fb29133bba5f76baf2a75d7b177e33c
-
SHA1
b5fce8752562db3bb24ca0c7f8c3c2da73098372
-
SHA256
ed2412eaee0ed2a18411fda373dbf71a90296f5866aec5af55255a487b92af12
-
SHA512
68170e31ba3ece0ee9294f0278bc2cf54be19cd73e80a9b78cc213f327464957f0fbee9aa16781791ed45e57cc107bd4825abc7661ab75df37546576c20cb243
-
SSDEEP
24576:a0euAl7t8FI3YcD7ODKlLo0cKiAwWxd19LW7bXH6sv:tNAl7tN39Hns0cjWxNLW7b36
Score10/10-
Detect Xworm Payload
-
Modifies security service
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1