General
-
Target
2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch
-
Size
6.6MB
-
Sample
250406-m2rpvswyct
-
MD5
12778dfad55cfadd9a32f3f4b0f83d32
-
SHA1
dc40d26edd670ee5d87633349381da36f7c7bf34
-
SHA256
0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a
-
SHA512
f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47
-
SSDEEP
49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd
Malware Config
Extracted
xworm
5.0
127.0.0.1:9000
45.134.39.20:9000
oV8zKY7m1pKloRzQ
-
install_file
USB.exe
Targets
-
-
Target
2025-04-06_12778dfad55cfadd9a32f3f4b0f83d32_frostygoop_ghostlocker_sliver_snatch
-
Size
6.6MB
-
MD5
12778dfad55cfadd9a32f3f4b0f83d32
-
SHA1
dc40d26edd670ee5d87633349381da36f7c7bf34
-
SHA256
0a3bcc2d1ab0ff3c46f3ada8a6e904a91815875e3775897a1ac93e74c64fc86a
-
SHA512
f94db534ee3b5f4b368ca620312363799e25f37ed11be8f3e54347340356e0372b1ec5dde0deb188e95ee5da56804565ef8e4db0779caf0f51b4759ea7812d47
-
SSDEEP
49152:7QrUu2sJBe6tT5QS02AowPFCF6j5QGbpY/vlvRf3uElo03Nbo3AWg4VAT4s4Pqo8:KUvsJBjTOGgP8JGbIxx93S317VATd
Score10/10-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-