General
-
Target
3fa56993244dfb36526495c3d9e8016381e6c2b521ee24471d8731a755a625c3.exe
-
Size
82KB
-
Sample
250124-zq4w9szjhq
-
MD5
091f5b8bf3c5272388d483d5d5ce9fcb
-
SHA1
1d077bacc1a522319efbc6a0d303c2afcb579849
-
SHA256
3fa56993244dfb36526495c3d9e8016381e6c2b521ee24471d8731a755a625c3
-
SHA512
3f046a85cc5960de1d80b47daced9615a5ffb20f1ff432804096bef3937f757c3b90a8f2d4119e2b0d1941d1e29f75255a5d1e90c98ad7781da4c03d3d8a3c3d
-
SSDEEP
1536:Nz9Nkxe0BO7PC8Kk0ycbrjUiKkwYX863w3NOW9JYUoB9:ZDkwwk0bbnUiKTdOICB9
Malware Config
Extracted
xworm
147.185.221.23:36343
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
3fa56993244dfb36526495c3d9e8016381e6c2b521ee24471d8731a755a625c3.exe
-
Size
82KB
-
MD5
091f5b8bf3c5272388d483d5d5ce9fcb
-
SHA1
1d077bacc1a522319efbc6a0d303c2afcb579849
-
SHA256
3fa56993244dfb36526495c3d9e8016381e6c2b521ee24471d8731a755a625c3
-
SHA512
3f046a85cc5960de1d80b47daced9615a5ffb20f1ff432804096bef3937f757c3b90a8f2d4119e2b0d1941d1e29f75255a5d1e90c98ad7781da4c03d3d8a3c3d
-
SSDEEP
1536:Nz9Nkxe0BO7PC8Kk0ycbrjUiKkwYX863w3NOW9JYUoB9:ZDkwwk0bbnUiKTdOICB9
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1