General
-
Target
Vanta Bundle.rar
-
Size
100KB
-
Sample
250328-h5ykcss1bx
-
MD5
b622d4beb1f53e776cbe210b5c0bd3af
-
SHA1
c7a09721ad876715a9c419db5da263fe3dc1d905
-
SHA256
ae790bbbadeb38db0e345970612a859e0b9888c976d798105a48a81ced48ff40
-
SHA512
460ee20a7e044e7351bcb6534823ea28f30de20e71192571ef351b72e559719efd2ffc70f176fe39cc8c03c4c9e52f5ee26aa3897f76cca403a0eb0b6d45cd86
-
SSDEEP
1536:e19R7X+Z3yNPvbCrWNHdUUYtboOeJSpL0VblnPwVa/YgL1m2msA+N40rEVc:eByZcDCWY1NoOlpgVdwMnL1ZmN+N4wEe
Malware Config
Extracted
xworm
documents-johnny.gl.at.ply.gg:63203:63203
documents-johnny.gl.at.ply.gg:63203
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
Vanta Bundle.rar
-
Size
100KB
-
MD5
b622d4beb1f53e776cbe210b5c0bd3af
-
SHA1
c7a09721ad876715a9c419db5da263fe3dc1d905
-
SHA256
ae790bbbadeb38db0e345970612a859e0b9888c976d798105a48a81ced48ff40
-
SHA512
460ee20a7e044e7351bcb6534823ea28f30de20e71192571ef351b72e559719efd2ffc70f176fe39cc8c03c4c9e52f5ee26aa3897f76cca403a0eb0b6d45cd86
-
SSDEEP
1536:e19R7X+Z3yNPvbCrWNHdUUYtboOeJSpL0VblnPwVa/YgL1m2msA+N40rEVc:eByZcDCWY1NoOlpgVdwMnL1ZmN+N4wEe
Score1/10 -
-
-
Target
Vanta Bundle/Read-Me.txt
-
Size
1KB
-
MD5
86522812df51d3017058561672a30150
-
SHA1
bd9a42ebd79d8907888903374a8282e3d5b92e68
-
SHA256
cd23cd2d86159dbcf00c74a66d408412cde93d58d7c28f40d3665a7fcf917f80
-
SHA512
feb9673af43bc8b295d08aa3e6b33069ec1f3ad828cdf2acd38cfb871b515b7af01846b8d7004056f105a7bafa4b1b264eeb7d22e345df405bbe94f52022bf2c
Score1/10 -
-
-
Target
Vanta Bundle/Vanta Loader.exe
-
Size
103KB
-
MD5
7c55349ebd2e7a02bb00f3da322fe324
-
SHA1
b311a9f3bd9384b1f0670829f8542efe6ee36669
-
SHA256
9f3f1e2fb2144b98704d12094feec42ee6f17a12d934717cc2641bd22d711faa
-
SHA512
80569369c223bef0617ddd72136a998eb05f3ff4185f093b714efa73f97452160e18b97112a5471469159caab6189a023aa5f51e0cb29a4b3a3eb5613d746e47
-
SSDEEP
3072:+J5RlYgEN4yo/UnboOAFxb+9E/mvi/SREt:ql5WE9mv+A
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-