General
-
Target
Vulturi Stealer.exe
-
Size
532KB
-
Sample
250303-xvtkzswtes
-
MD5
e62f8723a8831b750c34e1ec7b24c48e
-
SHA1
906a94b2d84038a5f236d4b8d8dbccbb1f16dc9c
-
SHA256
f37e1281da195bfde456802494ecf0b9d7ca54cca6e39bc633cce123a8806357
-
SHA512
dd452900d3c81c2a72c4f3c33b9dfc967477bf88c27da1a9b492ee76329d22b0e2c94563038cf03837408c2ed34bb1e5c05259f25fd116a227fceb4a1b056ea6
-
SSDEEP
12288:PG/QZccyiGTWFmphezgoYX8OUE46o+wIg1z6S/qrD:PE9iGgskVYMOm6twIg1mS/I
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Targets
-
-
Target
Vulturi Stealer.exe
-
Size
532KB
-
MD5
e62f8723a8831b750c34e1ec7b24c48e
-
SHA1
906a94b2d84038a5f236d4b8d8dbccbb1f16dc9c
-
SHA256
f37e1281da195bfde456802494ecf0b9d7ca54cca6e39bc633cce123a8806357
-
SHA512
dd452900d3c81c2a72c4f3c33b9dfc967477bf88c27da1a9b492ee76329d22b0e2c94563038cf03837408c2ed34bb1e5c05259f25fd116a227fceb4a1b056ea6
-
SSDEEP
12288:PG/QZccyiGTWFmphezgoYX8OUE46o+wIg1z6S/qrD:PE9iGgskVYMOm6twIg1mS/I
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-