General
-
Target
Algorithm_Converter_Arab-you.exe
-
Size
497KB
-
Sample
250307-lzlv6ayshx
-
MD5
7e01e34e779c50de84cc3e4321d68b6f
-
SHA1
31ec2e0168867753e0c649dbaeb92aaafb22f6d3
-
SHA256
ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa
-
SHA512
af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414
-
SSDEEP
12288:fGMnkN1TDTvX7ym4vw+8ixjvVem7kC+8:XG1TDTvLVkrMm
Malware Config
Extracted
xworm
3.0
3skr.uncofig.com:9999
f5nPSEGIk3s9ZJvj
-
Install_directory
%AppData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7942324376:AAFz5Z-GdKIj1CePZyqIUmvNWOymMRw8Lmk/sendMessage?chat_id=2078478344
Targets
-
-
Target
Algorithm_Converter_Arab-you.exe
-
Size
497KB
-
MD5
7e01e34e779c50de84cc3e4321d68b6f
-
SHA1
31ec2e0168867753e0c649dbaeb92aaafb22f6d3
-
SHA256
ea2ab2ecedf5c203a42e9b29566ada7f70959f41e23e2346fc38322c2cfe43fa
-
SHA512
af9f51af435f41b9578c72f163d43abb3edd5bfb27fd7b0e4f83799f0df62bf5a9d8e813bf2aab2fc85414ac3f2997400ac5d833d6c77803c568ba954b6c6414
-
SSDEEP
12288:fGMnkN1TDTvX7ym4vw+8ixjvVem7kC+8:XG1TDTvLVkrMm
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-