Resubmissions

30/05/2025, 00:08

250530-aez2hazzdw 10

29/05/2025, 23:58

250529-31hcsszrv6 10

General

  • Target

    https://gofile.io/d/EpD1Bi

  • Sample

    250529-31hcsszrv6

Malware Config

Extracted

Family

xworm

C2

https://pastebin.com/raw/L9Arn719:5656

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

  • pastebin_url

    https://pastebin.com/raw/L9Arn719

Targets

    • Target

      https://gofile.io/d/EpD1Bi

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks