General
-
Target
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed.zip
-
Size
49KB
-
Sample
250302-2waxgsykt9
-
MD5
cf2d1f8d317dfeefea48a2d2c23ffca8
-
SHA1
3313f86429b8c99c15b12654b61cb17670b76579
-
SHA256
25f61938ed5473d78506a19592f356a585bb2422cd3d189f9c45d2113a0a59b8
-
SHA512
5e431800981ba0e0a2bd08ef843eb8f780cd93af700861058db002ac8a4f016f7d3990c6ec7e95ff710d7813817f152fee5fedf97448d1d38b0fe6d09a44a532
-
SSDEEP
1536:pUthTwD+LURGc1mNhhIIMvIwjWIbNE3h+ghttw:6jgGemNhmIMvXzqx1h3w
Malware Config
Extracted
xworm
127.0.0.1:36623
fax-scenarios.gl.at.ply.gg:36623
-
Install_directory
%AppData%
-
install_file
SolaraX.exe
Targets
-
-
Target
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed.exe
-
Size
82KB
-
MD5
b201ce5dcb58284da7a5ef6294418e56
-
SHA1
27573051f80debfd74e1a72d27cfd29f58c76d7e
-
SHA256
188d525daed5c014ea5ae62a1fd1841d783693e41712ea58b9906cda2b60dbed
-
SHA512
f282f9efa40ce5e753faf803079af9aae478711e6e2f3dcf09c744ae3e670c6ef0cb18b62c8e57ba825faef8c396dd481768ef0680681d4b1b80ad1c3433f11c
-
SSDEEP
1536:D2wgD0/WhgBpRCn3wtSD+bQ6QqTMj34Al6G4tIzOasNnP6UO:ywkeWQCn1+bQdjrytuOa6Sz
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1