General
-
Target
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
-
Size
167KB
-
Sample
240418-b1m5hafd84
-
MD5
d0685487fa7e474e68a40a1b1ff49b60
-
SHA1
069285708e07814d852bbd5f39a7ffbb3c9e2d94
-
SHA256
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
-
SHA512
eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
-
SSDEEP
1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4
Behavioral task
behavioral1
Sample
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
dentiste.ddns.net:7000
86.68.222.14:7000
51.254.53.24:7000
-
Install_directory
%AppData%
-
install_file
Mise à jour carte CPS.exe
-
telegram
https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A
Extracted
http://xcu.exgaming.click
Extracted
http://xcu5.exgaming.click
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
hoyqzolrquxmbnzaee
-
delay
1
-
install
true
-
install_file
system.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/ckrnc4Uk
Targets
-
-
Target
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
-
Size
167KB
-
MD5
d0685487fa7e474e68a40a1b1ff49b60
-
SHA1
069285708e07814d852bbd5f39a7ffbb3c9e2d94
-
SHA256
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
-
SHA512
eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
-
SSDEEP
1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty payload
-
Async RAT payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables attemping to enumerate video devices using WMI
-
Detects executables containing artifacts associated with disabling Widnows Defender
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing credit card regular expressions
-
Detects executables using Telegram Chat Bot
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-