General
-
Target
t.exe
-
Size
16.1MB
-
Sample
250308-cb62ra1jv2
-
MD5
711e16c516aab061a834070a0dd4c563
-
SHA1
40767d77ba1f08855133cb93cfdebc80f705a5b4
-
SHA256
e4fc8910dec3bed957d092b951e2a732dc19a6100a48510bca0eb9d888756c9e
-
SHA512
48c4e08b60c3cd0b4e9cebe84136d9cdebd9b749d9e4982a15e9d5577020fbbd43265d8e582a04bc94687750b6217e1c8423fa0db7d5b53d70ba116c7e4f906b
-
SSDEEP
393216:09Yiiia1FfHqO1UyXMCHWUjlVg74w45fPVBFHCRJc8:09Yi/uiyXMb8PDw45fPVqRO8
Malware Config
Extracted
xworm
5.0
thetest.selfhost.co:1339
gg7Iy7YWpoOUVWNv
-
Install_directory
%ProgramData%
-
install_file
DirectOutputService.exe
Targets
-
-
Target
t.exe
-
Size
16.1MB
-
MD5
711e16c516aab061a834070a0dd4c563
-
SHA1
40767d77ba1f08855133cb93cfdebc80f705a5b4
-
SHA256
e4fc8910dec3bed957d092b951e2a732dc19a6100a48510bca0eb9d888756c9e
-
SHA512
48c4e08b60c3cd0b4e9cebe84136d9cdebd9b749d9e4982a15e9d5577020fbbd43265d8e582a04bc94687750b6217e1c8423fa0db7d5b53d70ba116c7e4f906b
-
SSDEEP
393216:09Yiiia1FfHqO1UyXMCHWUjlVg74w45fPVBFHCRJc8:09Yi/uiyXMb8PDw45fPVqRO8
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1