General
-
Target
dbcc133f852cf1c898fd71db2f0f09153c55577a7c8f0886882d52713ecb186f
-
Size
1.2MB
-
Sample
231212-la8cvscac5
-
MD5
e498c9b3458651c78ca99a3b1936ca12
-
SHA1
be68a3baca77108317a09e3eb0da79b2bb0239b8
-
SHA256
dbcc133f852cf1c898fd71db2f0f09153c55577a7c8f0886882d52713ecb186f
-
SHA512
c5eddd5ccd8a6c16541397aa212ba3b9debc88fce5bfe247f16c5e7f23646c4f7440926c4384b2808993c9e396dc92369ed1d637e119d2faea498bc1eba0940f
-
SSDEEP
24576:LpBx8FYm5k48ZNEvPcwkcy2uH3edcUdqgU5gYhhcbspUPhv:L5Tm5kavPdRZuuWUknvst
Static task
static1
Behavioral task
behavioral1
Sample
REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
Resource
win10v2004-20231130-en
Behavioral task
behavioral3
Sample
UPDATED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1219 , SO 6722.DOC.scr
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
UPDATED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1219 , SO 6722.DOC.scr
Resource
win10v2004-20231127-en
Malware Config
Extracted
xworm
104.250.180.178:7061
-
Install_directory
%AppData%
-
install_file
XWorm V5.2 Optimized.exe
Extracted
remcos
RemoteHost
104.250.180.178:7902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
AnyDesk.exe
-
copy_folder
AnyDesk
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AnyDesk
-
mouse_option
false
-
mutex
AnyDesk-8BNQK6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
REVISED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1129 , SO 6722.DOC.scr
-
Size
447KB
-
MD5
c824d690e03774ac57c0967f721e09e3
-
SHA1
b4f4db1fbb3606a94618b8fc783ceecb9bd2a4d8
-
SHA256
cf632203d1e3b90e91deacdd99295bd81807e8de345d1716472eef5557c33ce1
-
SHA512
8741063e5f1f73848dcf3043675b20f3142b818d27a068034a79e4a4bed38a59294293f5e58306b495e4d141d4909d7fb61ab5ca8d1ebee62831ad411030377f
-
SSDEEP
12288:S3IU8S6eUdJe4AYn1svkGWFWKvBo7gG3BU:IItSAdJZ+O6g
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-
-
-
Target
UPDATED (DELAY NOTICE) - CIF Hamburg by Sea - ETC 1219 , SO 6722.DOC.scr
-
Size
869KB
-
MD5
4f0c56459b4f0e8f51502e434d1ffc24
-
SHA1
b36e6bd0cf69d7b0258ace48f01feff65a6fb4c5
-
SHA256
ae86206a568d280d3e030ec9649148ff98b59c6e3cd25e78094cc53631b674d7
-
SHA512
e34912e2840cc9991eb4102ede29f85b0cc812fa1e44d19a0fa5b7397bf207f6e0b374c5e121cffc69e63b9fc8c11113c1c70a66e2d756cc27d9692fd93b7ea3
-
SSDEEP
24576:UItSAd7nDUHhpSahNdsUdKgU/CY/hkpqV+sjU5:UtN/PaUERXBa
Score10/10-
Detect ZGRat V1
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-