General
-
Target
helloworld.exe
-
Size
71KB
-
Sample
250303-vxd7zatvev
-
MD5
9abc77c7a2d864322641837bda3d51b1
-
SHA1
3f295fdab7c126e9bbe2a02b0faf4147f120cb90
-
SHA256
37a61a8e9a2c0d24dba2ef51d0bdde5fde4182f0218bee900f4213cc783963ff
-
SHA512
69c865f20c97a1e569eb9d2e5a9813747b9882c75e822edca08bbe92ca6b71f72c0ee7c8cfe1d5b6a953acf64ba3a6820b39c8492334240622c8262e31ba1723
-
SSDEEP
1536:8nNYWPeZZ8GTqR8xGXf1qTHjIpAB+bZT5AR6WpZOVOE4jf:8HLGTk3g/IpAB+bZQfOoxf
Malware Config
Extracted
xworm
PovodPoestGovna-63080.portmap.io:63080:9989
-
Install_directory
%AppData%
-
install_file
Windows Defender.exe
Targets
-
-
Target
helloworld.exe
-
Size
71KB
-
MD5
9abc77c7a2d864322641837bda3d51b1
-
SHA1
3f295fdab7c126e9bbe2a02b0faf4147f120cb90
-
SHA256
37a61a8e9a2c0d24dba2ef51d0bdde5fde4182f0218bee900f4213cc783963ff
-
SHA512
69c865f20c97a1e569eb9d2e5a9813747b9882c75e822edca08bbe92ca6b71f72c0ee7c8cfe1d5b6a953acf64ba3a6820b39c8492334240622c8262e31ba1723
-
SSDEEP
1536:8nNYWPeZZ8GTqR8xGXf1qTHjIpAB+bZT5AR6WpZOVOE4jf:8HLGTk3g/IpAB+bZQfOoxf
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1