General
-
Target
OperaGXSetup.exe
-
Size
3.9MB
-
Sample
250306-vrg2nstqv9
-
MD5
331950dc665052789dc9fcb607cc10af
-
SHA1
8d1844ecd27a34256f5a87721c871de3ce8d86a3
-
SHA256
e0176bf1acaea751b8d442619caa6959fcd9c4887e5d683f00bbe8a2354d1a47
-
SHA512
a0af358f927789c55ce583e6949bca0fe5b7fcb7ba3b18e56854ea81576dd8630fb1d3b4147b140d75800bb24291d00767dfc1e49441c9cb643fdf917c1a034c
-
SSDEEP
98304:FbTeX1UoBvNOXAsA9wsS9w8dinuqwpMMvcVUwf:FePZNOXDAyLw5NwKUw
Malware Config
Extracted
https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
xworm
-
Install_directory
%port%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/J42c6s7r
Targets
-
-
Target
OperaGXSetup.exe
-
Size
3.9MB
-
MD5
331950dc665052789dc9fcb607cc10af
-
SHA1
8d1844ecd27a34256f5a87721c871de3ce8d86a3
-
SHA256
e0176bf1acaea751b8d442619caa6959fcd9c4887e5d683f00bbe8a2354d1a47
-
SHA512
a0af358f927789c55ce583e6949bca0fe5b7fcb7ba3b18e56854ea81576dd8630fb1d3b4147b140d75800bb24291d00767dfc1e49441c9cb643fdf917c1a034c
-
SSDEEP
98304:FbTeX1UoBvNOXAsA9wsS9w8dinuqwpMMvcVUwf:FePZNOXDAyLw5NwKUw
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-