General
-
Target
RbxPredictor.bat
-
Size
755B
-
Sample
240401-23t9psab93
-
MD5
8d11409df3f91dd8940bc041203be830
-
SHA1
db0ccedde3720939b4cc0e4fd60c0c010648e61b
-
SHA256
63cc8352adad4e4039864b5fce5dd2a8d13a97076a14e67c936dcce81a985317
-
SHA512
b0bef88bfd19669dedaaf56b23f9ddefe02130c2d695dfcbec8ecaa542ccde9674d860ba2f1039305807390f4f1c1389fce581c74c5d439be751be7ce1935d68
Static task
static1
Behavioral task
behavioral1
Sample
RbxPredictor.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RbxPredictor.bat
Resource
win10v2004-20240226-en
Malware Config
Extracted
https://raw.githubusercontent.com/zenyll/l/main/i.exe
Extracted
xworm
193.222.96.30:6969
-
Install_directory
%AppData%
-
install_file
Winhealth.exe
-
telegram
https://api.telegram.org/bot6703930852:AAHkGtAzjTv18cTE6yjZ0UbhefLu4Fjl9Gc
Targets
-
-
Target
RbxPredictor.bat
-
Size
755B
-
MD5
8d11409df3f91dd8940bc041203be830
-
SHA1
db0ccedde3720939b4cc0e4fd60c0c010648e61b
-
SHA256
63cc8352adad4e4039864b5fce5dd2a8d13a97076a14e67c936dcce81a985317
-
SHA512
b0bef88bfd19669dedaaf56b23f9ddefe02130c2d695dfcbec8ecaa542ccde9674d860ba2f1039305807390f4f1c1389fce581c74c5d439be751be7ce1935d68
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-