General
-
Target
injector-helper.exe
-
Size
184KB
-
Sample
250303-pg7lpaxwez
-
MD5
c777067925c4275efccd6e31750b2a4d
-
SHA1
52259a1bf97340490e0208145bb8c666e07c31f9
-
SHA256
435011ebed0c301de1847935c54d9b80a4c279e380413d207febd895e8164e3f
-
SHA512
0ad92779cc0073089d8c7c252eab1ff5e8ddafab9aa6a0391c41625a40a6ca46dd228bd3a36e0aaa399bd89b22e7fb09bc6bcb2f27c7e5f89b75a5798b22ce85
-
SSDEEP
3072:P567FmwoIb5iz+bIOVMQMGxO1VjBz65/M6If+3Js+3JFkKeTno:P5im6iKbYjxBt25
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/kADeGNZE
Targets
-
-
Target
injector-helper.exe
-
Size
184KB
-
MD5
c777067925c4275efccd6e31750b2a4d
-
SHA1
52259a1bf97340490e0208145bb8c666e07c31f9
-
SHA256
435011ebed0c301de1847935c54d9b80a4c279e380413d207febd895e8164e3f
-
SHA512
0ad92779cc0073089d8c7c252eab1ff5e8ddafab9aa6a0391c41625a40a6ca46dd228bd3a36e0aaa399bd89b22e7fb09bc6bcb2f27c7e5f89b75a5798b22ce85
-
SSDEEP
3072:P567FmwoIb5iz+bIOVMQMGxO1VjBz65/M6If+3Js+3JFkKeTno:P5im6iKbYjxBt25
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1