General
-
Target
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc.exe
-
Size
28.2MB
-
Sample
250302-c25ava1xay
-
MD5
76924aa3990887953a5f110d3ba2c0b9
-
SHA1
a7de50320bd8a3e8c0d5445959ea4fc296667b15
-
SHA256
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc
-
SHA512
526bc1b6efec9380f94f8a784aadf94a2121c24be94d2fb42b57675bc8223a01c08a0b97abb6439e9d52192afa49cf515e5ed12b98bc053294dd6cd9f2fceef7
-
SSDEEP
786432:otu0coshxWHVn6s6b64G71jaoCo1Ha2XykTWHebn6D93:2u0jyC6Fb6V71JCo1Rae7C
Malware Config
Extracted
xworm
5.0
thetest.selfhost.co:1339
hyd6qZsPPsPPgljc
-
Install_directory
%ProgramData%
-
install_file
DirectOutputService.exe
Targets
-
-
Target
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc.exe
-
Size
28.2MB
-
MD5
76924aa3990887953a5f110d3ba2c0b9
-
SHA1
a7de50320bd8a3e8c0d5445959ea4fc296667b15
-
SHA256
717157d1d9377a0353d9a17f80c1a5571324851954cf381e58796d0ed7916ecc
-
SHA512
526bc1b6efec9380f94f8a784aadf94a2121c24be94d2fb42b57675bc8223a01c08a0b97abb6439e9d52192afa49cf515e5ed12b98bc053294dd6cd9f2fceef7
-
SSDEEP
786432:otu0coshxWHVn6s6b64G71jaoCo1Ha2XykTWHebn6D93:2u0jyC6Fb6V71JCo1Rae7C
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1