Overview

overview

10

Static

static

10

Excellent3.0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Excellent3.0.exe

  • Size

    76KB

  • Sample

    250305-lvxrvswkv9

  • MD5

    401131f795244c4e21d3e50f7612f85c

  • SHA1

    98b156b8f67b98cd8f4640a0c17d9b85c87cf516

  • SHA256

    ac916cba0427c21dede94cb1b3bb061ea7502d865a8964918ea976948b27af48

  • SHA512

    5957f631d0a0c99b76fccd000de8f9d3d6084cdfc24d2cfa832045da43eda93b456ecfc2fe3a7457b761a4a698f4cd287a535da144489efc6fd85a6b531ee6e2

  • SSDEEP

    1536:1aobhfsGh035rMe4VeC8Tl+bxPBvtzfwl6kJK6vlbYOB7p7Y+k:1aU25rMRVF8B+bDvSNkylcOB71Y+k

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

used-billion.gl.at.ply.gg:43161

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Targets

    • Target

      Excellent3.0.exe

    • Size

      76KB

    • MD5

      401131f795244c4e21d3e50f7612f85c

    • SHA1

      98b156b8f67b98cd8f4640a0c17d9b85c87cf516

    • SHA256

      ac916cba0427c21dede94cb1b3bb061ea7502d865a8964918ea976948b27af48

    • SHA512

      5957f631d0a0c99b76fccd000de8f9d3d6084cdfc24d2cfa832045da43eda93b456ecfc2fe3a7457b761a4a698f4cd287a535da144489efc6fd85a6b531ee6e2

    • SSDEEP

      1536:1aobhfsGh035rMe4VeC8Tl+bxPBvtzfwl6kJK6vlbYOB7p7Y+k:1aU25rMRVF8B+bDvSNkylcOB71Y+k

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks