General
-
Target
Gk67Vl
-
Size
1KB
-
Sample
240310-v72e9ahb94
-
MD5
0961eb13ef799b1c1f2a335965f343bd
-
SHA1
5d7ce0e0c0137d85da4d7ced88bff2bdba80ed20
-
SHA256
8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435
-
SHA512
554458650ceec6f091e6451ed3eb46141d98deba5cab9fc54c0b956b90939caf5d846edc6ae4d368d88a964c2259f5cf9fcadc8f7e610b30928ea65af9b5c777
Static task
static1
Behavioral task
behavioral1
Sample
Gk67Vl.html
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
78.69.106.17:8000
-
Install_directory
%AppData%
-
install_file
Update.exe
Extracted
gozi
Targets
-
-
Target
Gk67Vl
-
Size
1KB
-
MD5
0961eb13ef799b1c1f2a335965f343bd
-
SHA1
5d7ce0e0c0137d85da4d7ced88bff2bdba80ed20
-
SHA256
8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435
-
SHA512
554458650ceec6f091e6451ed3eb46141d98deba5cab9fc54c0b956b90939caf5d846edc6ae4d368d88a964c2259f5cf9fcadc8f7e610b30928ea65af9b5c777
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1