General
-
Target
ESpoofer.bat
-
Size
291KB
-
Sample
250123-xtq4gazlcv
-
MD5
3726560b7e2b96b268c25f0e6ee93e87
-
SHA1
a80b2477598d41baca9b013df935750dc7fb35a8
-
SHA256
45613b094a63904db97d394d40574ccb60444990924fa9df1ed19dfc6d4da766
-
SHA512
7f81dd73d85f6fcf1210830f5259d22095037dce5613fc397a983a11c079cbf77c74e2464e8be461f2455354e08949c4a74439e8fc0cd2efff43ff7a034bf34a
-
SSDEEP
6144:4kQLbp6z5Ary1l3qgJDeKGImDRg1Y28MxBNQdyWCbY5pepzJhMfgS:4Np6lZn3qgJ/GXDR6ZfxBNKTCbjFsJ
Malware Config
Extracted
xworm
IDKTOBEHONESTNIGAS-56344.portmap.io:56344
-
Install_directory
%ProgramData%
Targets
-
-
Target
ESpoofer.bat
-
Size
291KB
-
MD5
3726560b7e2b96b268c25f0e6ee93e87
-
SHA1
a80b2477598d41baca9b013df935750dc7fb35a8
-
SHA256
45613b094a63904db97d394d40574ccb60444990924fa9df1ed19dfc6d4da766
-
SHA512
7f81dd73d85f6fcf1210830f5259d22095037dce5613fc397a983a11c079cbf77c74e2464e8be461f2455354e08949c4a74439e8fc0cd2efff43ff7a034bf34a
-
SSDEEP
6144:4kQLbp6z5Ary1l3qgJDeKGImDRg1Y28MxBNQdyWCbY5pepzJhMfgS:4Np6lZn3qgJ/GXDR6ZfxBNKTCbjFsJ
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1