General
-
Target
https://cdn.discordapp.com/attachments/1346963151010271362/1347597718553497692/Vortex_Gen_PATCHED.rar?ex=67cc67ad&is=67cb162d&hm=c4df6fb150802af3e4f40d080a5adf7d9ae3f0fe2421c171ffbd3f3d0b765b3b&
-
Sample
250307-tbvgdstjt6
Malware Config
Extracted
xworm
127.0.0.1:45776
unit-wellness.gl.at.ply.gg:45776
-
Install_directory
%ProgramData%
-
install_file
discord.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1346963151010271362/1347597718553497692/Vortex_Gen_PATCHED.rar?ex=67cc67ad&is=67cb162d&hm=c4df6fb150802af3e4f40d080a5adf7d9ae3f0fe2421c171ffbd3f3d0b765b3b&
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1