General
-
Target
XClient.exe
-
Size
60KB
-
Sample
240630-zf76yayblr
-
MD5
107166f06c0965273058e6489798265a
-
SHA1
d43d853647183243b372248d4d0961d02157857e
-
SHA256
1558720751a4d37a2074f66f8ea7a65b1e3dff9e0c6cc395e6bcbd072fba690a
-
SHA512
208f998921ba32e015b046fd767ab682f9a4fce22655ac993b0e60886b6dcd8ed3cb7d710835c576a7233bc56bf116771d8bdda81e7d31d0a98f98eaac57fce2
-
SSDEEP
768:Wwjm6MDIGIt41FrtzWGDaCZrFcHubobWoYu2m6AzPyOKwJv7h3MSghzA3eny:nMkGuaTBWqrFHbobWofR6C6OKQ7pjuy
Malware Config
Extracted
xworm
3.1
0.tcp.eu.ngrok.io::12233
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
XClient.exe
-
Size
60KB
-
MD5
107166f06c0965273058e6489798265a
-
SHA1
d43d853647183243b372248d4d0961d02157857e
-
SHA256
1558720751a4d37a2074f66f8ea7a65b1e3dff9e0c6cc395e6bcbd072fba690a
-
SHA512
208f998921ba32e015b046fd767ab682f9a4fce22655ac993b0e60886b6dcd8ed3cb7d710835c576a7233bc56bf116771d8bdda81e7d31d0a98f98eaac57fce2
-
SSDEEP
768:Wwjm6MDIGIt41FrtzWGDaCZrFcHubobWoYu2m6AzPyOKwJv7h3MSghzA3eny:nMkGuaTBWqrFHbobWofR6C6OKQ7pjuy
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-