General
-
Target
ModXPack.bat
-
Size
1.6MB
-
Sample
240413-y169pshc96
-
MD5
51d7b8be303abf43851e767d9250887b
-
SHA1
e795e381647c8a99529f87810347881b6b9bdeba
-
SHA256
e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
-
SHA512
1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26
-
SSDEEP
24576:0DQy+ebV+tWhxXbJ3p+uOw/MhywlLuXmU+mC2Yvhp9Ehz+AZUTBMrJQfcMw:0NnXt1OIMhB6XmU+mynnuJ8w
Static task
static1
Behavioral task
behavioral1
Sample
ModXPack.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ModXPack.bat
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
3.0
china-earth.gl.at.ply.gg:14568
4tKD5kBskz9jyEvO
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284
Extracted
quasar
1.4.1
Office04
notes-creation.gl.at.ply.gg:27030
6735a92b-88d2-4fbe-8e59-605a85072109
-
encryption_key
8681483EF512C654BECF205A0D74FFCA4B129A98
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Trapix Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
ModXPack.bat
-
Size
1.6MB
-
MD5
51d7b8be303abf43851e767d9250887b
-
SHA1
e795e381647c8a99529f87810347881b6b9bdeba
-
SHA256
e9934713ab2bde592f73c677d6ad05656b81638a65626f2fd70aefa11f14378d
-
SHA512
1ee6999e72bafb69559c1dbeb6ff84e46f94fe1b51a82626d7feabce5619053299872d680520aac791e103a3fb45a6d002180cc166215c59517e6c72dae6ee26
-
SSDEEP
24576:0DQy+ebV+tWhxXbJ3p+uOw/MhywlLuXmU+mC2Yvhp9Ehz+AZUTBMrJQfcMw:0NnXt1OIMhB6XmU+mynnuJ8w
-
Detect Xworm Payload
-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-