General
-
Target
684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3.exe
-
Size
9.7MB
-
Sample
240408-bzkyracg9v
-
MD5
4c6db42fb635d9aef809b0617918cedb
-
SHA1
9a426491d43c8350c29ac9767d99b87319febabb
-
SHA256
684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3
-
SHA512
734342a0d76e310be2a43c010885cb097dedbf1cb618a65da514d595461494a53b9cc284835a6fac6dfb476640c4044825028d655b531be8195c11581d47eb1b
-
SSDEEP
196608:LlFMPfqmsrrk8TUjPVwKrwzV3c3pOVX7TLAHACUG5jV2f:B2erI8g9wZ32pygHAC/J2f
Static task
static1
Behavioral task
behavioral1
Sample
684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3.exe
Resource
win7-20240220-en
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
XClient.exe
-
pastebin_url
https://pastebin.com/raw/rD1sfZTw
Targets
-
-
Target
684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3.exe
-
Size
9.7MB
-
MD5
4c6db42fb635d9aef809b0617918cedb
-
SHA1
9a426491d43c8350c29ac9767d99b87319febabb
-
SHA256
684efa3246161dc6a58ebab74e56a1db300aaa63ce5e34fc41b0b50b90bc87d3
-
SHA512
734342a0d76e310be2a43c010885cb097dedbf1cb618a65da514d595461494a53b9cc284835a6fac6dfb476640c4044825028d655b531be8195c11581d47eb1b
-
SSDEEP
196608:LlFMPfqmsrrk8TUjPVwKrwzV3c3pOVX7TLAHACUG5jV2f:B2erI8g9wZ32pygHAC/J2f
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects executables containing bas64 encoded gzip files
-
Detects executables packed with unregistered version of .NET Reactor
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1