General
-
Target
s.exe
-
Size
769KB
-
Sample
231018-skr7ysgh22
-
MD5
d556d1a3b5eb0438b0b865b644222f3c
-
SHA1
4d09754186566dbb05aa4abcf3a3af2dbabdfa08
-
SHA256
43beca96dce7467f6c9b9aadb881811bb105cca8336c2c52a9ebbf2f944b07f8
-
SHA512
9aa1b7a01982b1cf136db08e0b2e796954e28c2a3ecf64300041b9031dfbf6e7406af7f84a0bcdf13fc3e6fd4afd803426e7c0c8cb686d36169384cf96ffa384
-
SSDEEP
12288:NZtRx3bXt3k20oFDhSVDH8sz3yYPhYUjDRlCaj+csveMMGkqCTOudrKS:B7t3JxhSVT8q3yOhQajHsxbkKS
Static task
static1
Behavioral task
behavioral1
Sample
s.exe
Resource
win7-20230831-en
Malware Config
Extracted
xworm
5.0
juandice-60636.portmap.io:5000
-
Install_directory
%AppData%
-
install_file
original.exe
-
telegram
https://api.telegram.org/bot5611504908:AAFpsAphAhLPMq_kq8cWKLPJIpuCJ0Znw9Y/sendMessage?chat_id=5493226523
Targets
-
-
Target
s.exe
-
Size
769KB
-
MD5
d556d1a3b5eb0438b0b865b644222f3c
-
SHA1
4d09754186566dbb05aa4abcf3a3af2dbabdfa08
-
SHA256
43beca96dce7467f6c9b9aadb881811bb105cca8336c2c52a9ebbf2f944b07f8
-
SHA512
9aa1b7a01982b1cf136db08e0b2e796954e28c2a3ecf64300041b9031dfbf6e7406af7f84a0bcdf13fc3e6fd4afd803426e7c0c8cb686d36169384cf96ffa384
-
SSDEEP
12288:NZtRx3bXt3k20oFDhSVDH8sz3yYPhYUjDRlCaj+csveMMGkqCTOudrKS:B7t3JxhSVT8q3yOhQajHsxbkKS
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-