General
-
Target
GXK5E_fsdjgfsdhnfgsd.bat
-
Size
65KB
-
Sample
250304-q51nqa1ygy
-
MD5
e6ee7aca370346191e07ae542b95cb8c
-
SHA1
0a2376a42bd1639cab1909e22ad423a4cefab293
-
SHA256
bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
-
SHA512
7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
-
SSDEEP
1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop
Malware Config
Extracted
xworm
5.0
45.144.212.242:7000
GHrcTVoc3c8G04bh
-
Install_directory
%AppData%
-
install_file
SubDir.exe
Targets
-
-
Target
GXK5E_fsdjgfsdhnfgsd.bat
-
Size
65KB
-
MD5
e6ee7aca370346191e07ae542b95cb8c
-
SHA1
0a2376a42bd1639cab1909e22ad423a4cefab293
-
SHA256
bb6ebd1e6609ffd3ca442aa965cebdab07071715abef65b46e145ad1f700a2d6
-
SHA512
7583d3b036ed7bd23f480772fb6f2f70acca8f01be0b6a2a45eb1d7887d38060c2e49435a1e04db8a3a6f06d5200b794bd604559576b6310618607837614cf4a
-
SSDEEP
1536:ypDhvQgdHQgXro4uFtnqK00ZVrKt1ag2pN7Gop:yXE4uFkKLkanNSop
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Deobfuscate/Decode Files or Information
Payload decoded via CertUtil.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1