General
-
Target
RobloxCheat.exe
-
Size
61KB
-
Sample
240701-t2rs7asekq
-
MD5
1173330bc76af605137db64a6377f523
-
SHA1
09713c6e32cc1304dcb40604a1695d7830ceffe3
-
SHA256
f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7
-
SHA512
57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24
-
SSDEEP
1536:oHdD3qptlFkbr9H8pV2Vi6lMVOElJJuJXc:Kxq3kbrx8pMVeOElJcJM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Targets
-
-
Target
RobloxCheat.exe
-
Size
61KB
-
MD5
1173330bc76af605137db64a6377f523
-
SHA1
09713c6e32cc1304dcb40604a1695d7830ceffe3
-
SHA256
f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7
-
SHA512
57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24
-
SSDEEP
1536:oHdD3qptlFkbr9H8pV2Vi6lMVOElJJuJXc:Kxq3kbrx8pMVeOElJcJM
Score10/10-
Detect Xworm Payload
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Hide Artifacts
2Hidden Files and Directories
2