General
-
Target
Output.exe
-
Size
3.0MB
-
Sample
250305-bjjqratzf1
-
MD5
696ea7e1c266ab9fe67d8f2b323ad92c
-
SHA1
f0c16438b8df7e84bd6b638cab55409e7fd6c254
-
SHA256
eecf872218af1a28c765063a4d046199aefb77b59258447b3382fd81a502f11b
-
SHA512
370c05a684e8df03077b71a3fe68765d360daef0f1785f612082a3554f4045961a94a195634e31b22060c8251b1abd4230418fcad06d4dc8531e935756389be6
-
SSDEEP
49152:mvWsXzaGD+PEyYTeH9+0xlE6w0svsGL2Azabr4Gh596Us7yMIGointpKVWg9+Kn8:ia/PEyuR0xbwNCVHH9intMlVO77
Malware Config
Extracted
xworm
127.0.0.1:36623
fax-scenarios.gl.at.ply.gg:36623
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
Output.exe
-
Size
3.0MB
-
MD5
696ea7e1c266ab9fe67d8f2b323ad92c
-
SHA1
f0c16438b8df7e84bd6b638cab55409e7fd6c254
-
SHA256
eecf872218af1a28c765063a4d046199aefb77b59258447b3382fd81a502f11b
-
SHA512
370c05a684e8df03077b71a3fe68765d360daef0f1785f612082a3554f4045961a94a195634e31b22060c8251b1abd4230418fcad06d4dc8531e935756389be6
-
SSDEEP
49152:mvWsXzaGD+PEyYTeH9+0xlE6w0svsGL2Azabr4Gh596Us7yMIGointpKVWg9+Kn8:ia/PEyuR0xbwNCVHH9intMlVO77
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1