General
-
Target
4923f14138a892567a3a3a2bac19fc62.bin
-
Size
5.0MB
-
Sample
240329-b9tnmsed81
-
MD5
4923f14138a892567a3a3a2bac19fc62
-
SHA1
8c2056e3edeaf919012c6503e5f8d64fd51355cc
-
SHA256
eec5d83fcb62d0c9b813081ef2cd9debf729826c0c20f00df764b7dda642c397
-
SHA512
08f0423731694e188164fe933f1abb621ad339745d7ed91a2a5f58b4bce6e79e595d6a4e06fac8a542e35bdf8c7c3cdd21da91fcb2eacd3caaa3803a3f64503d
-
SSDEEP
98304:f7S4+d1cDBbEqN5IMwzjV1u4SXhV0uPf62gmFHQqZZ7:e4LN7Ozfu5z5PpFw29
Static task
static1
Behavioral task
behavioral1
Sample
GhostClient.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
GhostClient.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
xworm
3.1
Targets
-
-
Target
GhostClient.exe
-
Size
5.0MB
-
MD5
8b36003e47da77255a4bc631359a9845
-
SHA1
659aa2943770ed49557fd32a28a310d7e3961b52
-
SHA256
deadb78865ea2dc4347b895f19372c05482a14b0af6964e09b136eb73b431a1e
-
SHA512
1d8fd97fc7985804e5a6c0a114e85b79ac41c93f723ab88ab177846febe30838c71d531731e2b3a5502c150b0c83966be3ec9d836013df4e2099172163f2d9fc
-
SSDEEP
98304:ceUB6PiuZog3w97BI3lUKOPTu3d4BQ9455HEM/pBvOkSmK5ooAvNw82og6:GB6lTlUBq3eBf/plOk9Katvv2
Score10/10-
Detect Xworm Payload
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-