General
-
Target
RobloxExecutor.exe
-
Size
316KB
-
Sample
240701-a2hqqstgjn
-
MD5
f0c864fee64edd613b413ddb7c559446
-
SHA1
87e75a58eef9f3765a2eed498f6aca135b1ef7c4
-
SHA256
f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd
-
SHA512
9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154
-
SSDEEP
3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p
Static task
static1
Malware Config
Extracted
xworm
5.0
allows-welfare.gl.at.ply.gg:49180
B2qPpHuLCfcwYFiL
-
Install_directory
%AppData%
-
install_file
System.exe
Targets
-
-
Target
RobloxExecutor.exe
-
Size
316KB
-
MD5
f0c864fee64edd613b413ddb7c559446
-
SHA1
87e75a58eef9f3765a2eed498f6aca135b1ef7c4
-
SHA256
f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd
-
SHA512
9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154
-
SSDEEP
3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-