General
-
Target
Double.bat
-
Size
1.6MB
-
Sample
240413-wk7t7afc78
-
MD5
948386c98184781df692e5f11ff558f7
-
SHA1
e8619faf83446ea78e456920834579bbf71aea20
-
SHA256
7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
-
SHA512
0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba
-
SSDEEP
24576:wdgbyfVoiqSFeKsWoIk3GpiYJKVvlBU4Lr/QIEeL86NKuhRu9xyz2XP9d/qi7q:J4ogzBYGUvrxrl44RQyz2fZq
Static task
static1
Behavioral task
behavioral1
Sample
Double.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Double.bat
Resource
win10v2004-20240412-en
Malware Config
Extracted
quasar
1.4.1
Office04
express-divorce.gl.at.ply.gg:22562
6735a92b-88d2-4fbe-8e59-605a85072109
-
encryption_key
8681483EF512C654BECF205A0D74FFCA4B129A98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Trapix Client Startup
-
subdirectory
SubDir
Extracted
xworm
3.0
traffic-collins.gl.at.ply.gg:24820
uX6FapIHo24Z2JFZ
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284
Targets
-
-
Target
Double.bat
-
Size
1.6MB
-
MD5
948386c98184781df692e5f11ff558f7
-
SHA1
e8619faf83446ea78e456920834579bbf71aea20
-
SHA256
7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f
-
SHA512
0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba
-
SSDEEP
24576:wdgbyfVoiqSFeKsWoIk3GpiYJKVvlBU4Lr/QIEeL86NKuhRu9xyz2XP9d/qi7q:J4ogzBYGUvrxrl44RQyz2fZq
-
Detect Xworm Payload
-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-