General
-
Target
XC12lient.exe
-
Size
60KB
-
Sample
240630-m8w8xszemq
-
MD5
80000eb10a99df44b557670aded4d0bf
-
SHA1
861f71e942652a8cea932de335c1d577e3147299
-
SHA256
2297d34f5b6e39fb06ea7ee6f9fb1c6572b7a98b4c76a5c3bfd4dd351926b1ff
-
SHA512
c88d3af7ed0b1005da734f40a9947f44eef68d769086f906855d4a718584ee84eed14c2b963aed433aaefba2b4bd57e03a1cc92b1f1712e6d40b4cac80c3f6da
-
SSDEEP
1536:iNqQAXim/v4vO9Hru5o8eWwbH3EanV6EOcOSED:icZ/m8HreoJbHHHOcOTD
Malware Config
Extracted
xworm
3.1
2.tcp.eu.ngrok.io:11215
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
XC12lient.exe
-
Size
60KB
-
MD5
80000eb10a99df44b557670aded4d0bf
-
SHA1
861f71e942652a8cea932de335c1d577e3147299
-
SHA256
2297d34f5b6e39fb06ea7ee6f9fb1c6572b7a98b4c76a5c3bfd4dd351926b1ff
-
SHA512
c88d3af7ed0b1005da734f40a9947f44eef68d769086f906855d4a718584ee84eed14c2b963aed433aaefba2b4bd57e03a1cc92b1f1712e6d40b4cac80c3f6da
-
SSDEEP
1536:iNqQAXim/v4vO9Hru5o8eWwbH3EanV6EOcOSED:icZ/m8HreoJbHHHOcOTD
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-