General
-
Target
XClient.exe
-
Size
63KB
-
Sample
250126-r7sassvrgm
-
MD5
0cf6b6f3add95bced157a5e05ed8be81
-
SHA1
9346295551b8a9c028922cd2482183ddbe9bae75
-
SHA256
d02eddd53acef8a79f33eb5abb2aa8bb9d2a6e4f683372203b687cde81b589b2
-
SHA512
ee943d15776a367d9da4a8053d783a7151e15f8e36ac943f4d09dea35b2566348ae0ad2121b3aa9e48fa986e2b232f698080ed565e66c7a1b43f50177be1fd89
-
SSDEEP
1536:1QzWVouI2KKb+bYDOdKO+6wcV6OkWYux:yCVo52f+bYDl+V6OkJ4
Malware Config
Extracted
xworm
sponef159-35748.portmap.host:7809
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7508868671:AAG6XIOhz39IrQIUnjub1TKVOVZHfdjpsvM/sendMessage?chat_id=6094400048
Targets
-
-
Target
XClient.exe
-
Size
63KB
-
MD5
0cf6b6f3add95bced157a5e05ed8be81
-
SHA1
9346295551b8a9c028922cd2482183ddbe9bae75
-
SHA256
d02eddd53acef8a79f33eb5abb2aa8bb9d2a6e4f683372203b687cde81b589b2
-
SHA512
ee943d15776a367d9da4a8053d783a7151e15f8e36ac943f4d09dea35b2566348ae0ad2121b3aa9e48fa986e2b232f698080ed565e66c7a1b43f50177be1fd89
-
SSDEEP
1536:1QzWVouI2KKb+bYDOdKO+6wcV6OkWYux:yCVo52f+bYDl+V6OkJ4
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1