General
-
Target
1d562eaa3e33451a40f60c976c6f4bc0.bin
-
Size
626KB
-
Sample
240328-bd8spacc9w
-
MD5
5d6b50358d5582e8bfd16db6293b49d4
-
SHA1
115585eb24ce85cbc96186e96d83e2af7534f9ef
-
SHA256
facf6255e4cef4e5757529e30af248dc78594b292a4753d4216b02df4be4a7ac
-
SHA512
4081693f8dba663c86b864ce78f8f36abe1813e3556360fcb1271c047335bb12b96c7a98d3c8252a0938a1f78f731146f65228fdcf2258bb3e167ec97e4d2651
-
SSDEEP
12288:U974z7VcdHbz5Ar0jRSHjAMt+NWzqc3m6QW0cLXcLPZwwn9u+PoEVFkF7ngDPT:gYZMz6ojRSHjh+U++QeSJ9Zg1F7nCPT
Static task
static1
Behavioral task
behavioral1
Sample
dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614.exe
Resource
win7-20231129-en
Malware Config
Extracted
xworm
3.0
157.254.223.19:8081
i0Yq2Adr82znjD2G
-
Install_directory
%ProgramData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot5498061286:AAEOFPFhizSA_AbkzDV_OWcHlXVsegPpL_c/sendMessage?chat_id=1267602057
Targets
-
-
Target
dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614.exe
-
Size
631KB
-
MD5
1d562eaa3e33451a40f60c976c6f4bc0
-
SHA1
de0f3e027e12162388ec953936857f06b71487ca
-
SHA256
dde68755fa515158e01e3e8f2b90772dc86e25b7e2684fc5066a5e33ee22b614
-
SHA512
73901625a5f7a9fecd013d4675427d4bd2d623174e8c78a4c831d4ca76797312b67f75fb662f2bd091ddeb4dd3b20790a39eb237c9f57c4e6a2c88a8b0af042a
-
SSDEEP
12288:uJz1yun32ZOxhr9d6G3R6dYw02suri2zUkhqCFl6oXK1CC+:aByM3b9oM6dl0NulFhqCWwW8
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-