General
-
Target
XWorm V3.1 .exe
-
Size
10.1MB
-
Sample
230314-1v2hdaaa77
-
MD5
320526ae9b5dbd99a38d158578c84ccb
-
SHA1
60daf13da5fa663c1e7e67ac113fbb5859264b8c
-
SHA256
91a8aec23ab8e79172c8d7cbf6a733e73157941687eb58e8ffa543b7e721b7ea
-
SHA512
5c62082634d4abc4bc524b268c5bcf476f6a900cba8becc49e143c8b207f0f661e921a26a62df746236f65a9978b7691e541283835056c9c5a6efac0a382cf0f
-
SSDEEP
196608:ih0Avmh7fFbZyD3nvCEg+xyZTEQkM1V8/6zCSR6lGCUOGJ1PldRBo+zoDmAYU:iq1pbqdg+yZTUaCkZXOqdbS
Behavioral task
behavioral1
Sample
XWorm V3.1 .exe
Resource
win7-20230220-en
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
AsyncMutex_7SI8OkPnk
-
delay
3
-
install
true
-
install_file
ContainerRuntime.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/Kb8rTgY7
Targets
-
-
Target
XWorm V3.1 .exe
-
Size
10.1MB
-
MD5
320526ae9b5dbd99a38d158578c84ccb
-
SHA1
60daf13da5fa663c1e7e67ac113fbb5859264b8c
-
SHA256
91a8aec23ab8e79172c8d7cbf6a733e73157941687eb58e8ffa543b7e721b7ea
-
SHA512
5c62082634d4abc4bc524b268c5bcf476f6a900cba8becc49e143c8b207f0f661e921a26a62df746236f65a9978b7691e541283835056c9c5a6efac0a382cf0f
-
SSDEEP
196608:ih0Avmh7fFbZyD3nvCEg+xyZTEQkM1V8/6zCSR6lGCUOGJ1PldRBo+zoDmAYU:iq1pbqdg+yZTUaCkZXOqdbS
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-