General
-
Target
XגדשClient.exe
-
Size
68KB
-
Sample
250125-wcj36avrbm
-
MD5
138dec9a09b140cafdc7e3b38c6e50c9
-
SHA1
90e7d8b8020c20a763fd88ebae97959452863dae
-
SHA256
e21ea01c076378885e08f0c906e80924ba54db15f3b308f78734d654b958fd21
-
SHA512
23c6c9710e3cacadc1ff8f58cc7995d8a9ab293572ad02cc1484a87179aad056ce6a54e9f4a7f0957a7516222bf4ef5eaa3fb9fc19e22d130e59e7dadb27b6f5
-
SSDEEP
1536:Z3UR+N6zqB4bldfIkb3ACWfL6div9ZRyO00SHgJas:ZDN6zTrIkb3Anf8iYO1agJ9
Malware Config
Extracted
xworm
sponef159-35748.portmap.host:7809
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7508868671:AAG6XIOhz39IrQIUnjub1TKVOVZHfdjpsvM/sendMessage?chat_id=6094400048
Targets
-
-
Target
XגדשClient.exe
-
Size
68KB
-
MD5
138dec9a09b140cafdc7e3b38c6e50c9
-
SHA1
90e7d8b8020c20a763fd88ebae97959452863dae
-
SHA256
e21ea01c076378885e08f0c906e80924ba54db15f3b308f78734d654b958fd21
-
SHA512
23c6c9710e3cacadc1ff8f58cc7995d8a9ab293572ad02cc1484a87179aad056ce6a54e9f4a7f0957a7516222bf4ef5eaa3fb9fc19e22d130e59e7dadb27b6f5
-
SSDEEP
1536:Z3UR+N6zqB4bldfIkb3ACWfL6div9ZRyO00SHgJas:ZDN6zTrIkb3Anf8iYO1agJ9
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1