General
-
Target
Новая папка (5).rar
-
Size
62.1MB
-
Sample
240328-qwq3xsfd6y
-
MD5
004b173de6591178ecc3a5d756d2b701
-
SHA1
94128a7cefdc8ec3fa6a2c14dc95a83b9e0778fe
-
SHA256
40a1f661d63099b9a3c64267509d231d02bfe0d4d93d964a1bf6d8d6d79140bf
-
SHA512
a54b0899ec403dbf97795ddc05dce3b2cc6d435977d6f41eaf401c6b3196043fa5a528ab0d4a4a291c11cebd240689874534950569c9cb422ea2cbd2ec529571
-
SSDEEP
1572864:P+KB5HVYivtxABADxKGnM5j22e/oIhD/0/t3kYINtr:P+K71NzABA1KG6jE/oH/t3Ytr
Static task
static1
Behavioral task
behavioral1
Sample
Новая папка (5).rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Новая папка (5).rar
Resource
win10v2004-20240319-en
Malware Config
Extracted
xworm
16.ip.gl.ply.gg:52773
-
Install_directory
%AppData%
-
install_file
$77cvhost.exe
Targets
-
-
Target
Новая папка (5).rar
-
Size
62.1MB
-
MD5
004b173de6591178ecc3a5d756d2b701
-
SHA1
94128a7cefdc8ec3fa6a2c14dc95a83b9e0778fe
-
SHA256
40a1f661d63099b9a3c64267509d231d02bfe0d4d93d964a1bf6d8d6d79140bf
-
SHA512
a54b0899ec403dbf97795ddc05dce3b2cc6d435977d6f41eaf401c6b3196043fa5a528ab0d4a4a291c11cebd240689874534950569c9cb422ea2cbd2ec529571
-
SSDEEP
1572864:P+KB5HVYivtxABADxKGnM5j22e/oIhD/0/t3kYINtr:P+K71NzABA1KG6jE/oH/t3Ytr
-
Detect Xworm Payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-