General
-
Target
ed5d0573850a7b710c7ee2250d0b1849bcbac27652482f302d9632b8cdab76df.exe
-
Size
505KB
-
Sample
250307-re8r3s1vfx
-
MD5
6322038622ac996a0223263c05856334
-
SHA1
7a7352d5cd674107fc5833dd2721166184a7f9e9
-
SHA256
ed5d0573850a7b710c7ee2250d0b1849bcbac27652482f302d9632b8cdab76df
-
SHA512
f6a66cc33bf5e1dc26e4d1453a31752085710feb086fe6c54085f96f80f0cf8fc631bffab0eea2477fcb5d0331960c7f9d16013e84efbaacd2dddc962935a47c
-
SSDEEP
12288:lQAbZWUBjE8e3Pajq4fKIeKRcDD7hnGYpu2YpJTDT:l1bYUa8Esq6KACRUr9T
Malware Config
Extracted
xworm
3.1
ezizanneyaw.duckdns.org:4266
FiTlvrJ9jlda8Vht
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
ed5d0573850a7b710c7ee2250d0b1849bcbac27652482f302d9632b8cdab76df.exe
-
Size
505KB
-
MD5
6322038622ac996a0223263c05856334
-
SHA1
7a7352d5cd674107fc5833dd2721166184a7f9e9
-
SHA256
ed5d0573850a7b710c7ee2250d0b1849bcbac27652482f302d9632b8cdab76df
-
SHA512
f6a66cc33bf5e1dc26e4d1453a31752085710feb086fe6c54085f96f80f0cf8fc631bffab0eea2477fcb5d0331960c7f9d16013e84efbaacd2dddc962935a47c
-
SSDEEP
12288:lQAbZWUBjE8e3Pajq4fKIeKRcDD7hnGYpu2YpJTDT:l1bYUa8Esq6KACRUr9T
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1