General
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
Sample
250304-3mz1patmz7
-
MD5
a6e5c269f23e7de3907676c9b4220e36
-
SHA1
4fec20effa5aa204a6fb5d6ec6da9efee2b23162
-
SHA256
7221fe6503a6c7a114a70601e6211093698d74c5286f8ff17822df52b510cfd5
-
SHA512
9d56b1ce265c47206b650e212f61050f653290a773ab266d774c37e61579015b3e1cc876c240dc31d8878365a1373da7e9df683217323bd63f1ccf2edb636b00
-
SSDEEP
49152:QLEu3S+KvEhtxXrdoQ9/SSA6d/MxC6U+3SVTlIJMuy4V5jDFQPKW9OTk8o:qjS+KvEFmASRuf6L3aqvFM9O5o
Malware Config
Extracted
xworm
5.0
127.0.0.1:36623
fax-scenarios.gl.at.ply.gg:36623
iq4Cbvqxc9yxmDW5
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
BootstrapperNew.exe
-
Size
2.9MB
-
MD5
a6e5c269f23e7de3907676c9b4220e36
-
SHA1
4fec20effa5aa204a6fb5d6ec6da9efee2b23162
-
SHA256
7221fe6503a6c7a114a70601e6211093698d74c5286f8ff17822df52b510cfd5
-
SHA512
9d56b1ce265c47206b650e212f61050f653290a773ab266d774c37e61579015b3e1cc876c240dc31d8878365a1373da7e9df683217323bd63f1ccf2edb636b00
-
SSDEEP
49152:QLEu3S+KvEhtxXrdoQ9/SSA6d/MxC6U+3SVTlIJMuy4V5jDFQPKW9OTk8o:qjS+KvEFmASRuf6L3aqvFM9O5o
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1