General
-
Target
a.exe
-
Size
239KB
-
Sample
240629-w1tmhasgqa
-
MD5
f6bb396fd836f66cd9f33ca4b0262dd7
-
SHA1
bfc7036e32a59ac25db505d263b5f4cade24c53c
-
SHA256
1073ff4689cb536805d2881988b72853b029040f446af5ced18d1bc08b2266e1
-
SHA512
9b1668fa849054964470f8160835480d7618dd28845827b7ab1334935f8c657a4fe2ce07ed42593d558b3ac0bb3412bf9c188477008e189f6cdaae71255c28c2
-
SSDEEP
3072:PDOTa8CC9ooblQ7zDoxB4OlBW3q8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Y:bfIbSc83qUhcX7elbKTua9bfF/H9d9n
Behavioral task
behavioral1
Sample
a.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
3.1
6.tcp.eu.ngrok.io:13394
-
Install_directory
%Public%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6674821695:AAExQsr6_hmXk6hz7CN4kMSi9cs9y86daYM/sendMessage?chat_id=5865520781
Targets
-
-
Target
a.exe
-
Size
239KB
-
MD5
f6bb396fd836f66cd9f33ca4b0262dd7
-
SHA1
bfc7036e32a59ac25db505d263b5f4cade24c53c
-
SHA256
1073ff4689cb536805d2881988b72853b029040f446af5ced18d1bc08b2266e1
-
SHA512
9b1668fa849054964470f8160835480d7618dd28845827b7ab1334935f8c657a4fe2ce07ed42593d558b3ac0bb3412bf9c188477008e189f6cdaae71255c28c2
-
SSDEEP
3072:PDOTa8CC9ooblQ7zDoxB4OlBW3q8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Y:bfIbSc83qUhcX7elbKTua9bfF/H9d9n
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1