General
-
Target
234ea596c74a48e69cee880ce2bf83bfa7cc616220655726ee8e8e57b4fea1be.exe
-
Size
76KB
-
Sample
250302-cm2w6sz1d1
-
MD5
ad6bad60fc5ad8e7f7353e7b787bfb4d
-
SHA1
48f7a8a0c7f06e384cea2fafec62b41e1e5cd567
-
SHA256
234ea596c74a48e69cee880ce2bf83bfa7cc616220655726ee8e8e57b4fea1be
-
SHA512
e2a9aec9dae0649c3e84254c481a772a928da938d43970871770ca9e3d782b81584266fc7f192a82e20cbedab201a198c94173103883081ca356a4c3ed64283c
-
SSDEEP
1536:dNZaFIN/AGCqxzs+bi15FU6oK/1OU4tXGSKUkdS1EAd8IIp:dOFIN/LRFs+biRNOU4Jy9gEA6IIp
Malware Config
Extracted
xworm
la-judgment.gl.at.ply.gg:62627
-
Install_directory
%ProgramData%
-
install_file
update.exe
Targets
-
-
Target
234ea596c74a48e69cee880ce2bf83bfa7cc616220655726ee8e8e57b4fea1be.exe
-
Size
76KB
-
MD5
ad6bad60fc5ad8e7f7353e7b787bfb4d
-
SHA1
48f7a8a0c7f06e384cea2fafec62b41e1e5cd567
-
SHA256
234ea596c74a48e69cee880ce2bf83bfa7cc616220655726ee8e8e57b4fea1be
-
SHA512
e2a9aec9dae0649c3e84254c481a772a928da938d43970871770ca9e3d782b81584266fc7f192a82e20cbedab201a198c94173103883081ca356a4c3ed64283c
-
SSDEEP
1536:dNZaFIN/AGCqxzs+bi15FU6oK/1OU4tXGSKUkdS1EAd8IIp:dOFIN/LRFs+biRNOU4Jy9gEA6IIp
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1