General
-
Target
ORBIT_LOADER.rar_1
-
Size
351KB
-
Sample
240419-28dtxaaa77
-
MD5
d498e0674ead62bd2d465d2c74085bff
-
SHA1
ad62469af5bdb660b272d0696f0a730b48f5307e
-
SHA256
4fcc32496885b57253012e973fa87008f9dd31b65764812a2b436f310e02776a
-
SHA512
7d6d67ab69b3b94ec335d0ae46505c2d50db01658c67826f021ff196623720cf58a9ae611ee509e9f52ec0b97503badd3ac57423212a357831834f31a6036f21
-
SSDEEP
6144:OVf06RISvE5q+5KQ935GMoV9YuFDHtKWJ6hqe++w4sEMnX73XchCxjdZPkksbd7L:Wv28E55KQ9JKVaulU3c+w4sEMLcYjdZi
Static task
static1
Behavioral task
behavioral1
Sample
INSTRUCTIONS.txt
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
KeyAuthBypass.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ORBIT_LOADER.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
147.185.221.18:28789
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
INSTRUCTIONS.txt
-
Size
250B
-
MD5
0ba8399d87474129ed5324241f164a33
-
SHA1
964071af066bf019a5b3f51989095c221a7fd780
-
SHA256
a186b0cba59af0f81bba3430f3c707dd94bee872e55d320ec3d314b763f1f2d2
-
SHA512
860a93671182d37422c04cd9e48e9fe6260660d35d213e593b16d9ba6324ac0bacc9e646baa484fa67e40ed5cc0e24387c4f7bc2d2bc8b76c8413dbd0b5debf2
Score1/10 -
-
-
Target
KeyAuthBypass.bat
-
Size
303KB
-
MD5
c0125697130c434fdb337ae2eed19837
-
SHA1
82dd83d2252658eb6e2f9a79bea5670584325426
-
SHA256
0ff1422031c03d9a36b84a1d9949a417f805946af634c6b40f4d78287fc5e5a7
-
SHA512
86acf91777abfb3793a624ae69dc6d2e373ac3d807b43f519f85c46aa3c769ad1c5c1455205b42f98ee04aa1f7a1071466f2318767e671dab278f86e817e7c71
-
SSDEEP
6144:69eAjc5fgprVBnijYbb+kxBG6YJM/glTsZTtvbZuccrU109webL+QtlkuPl:31fgprajY3N7P/glTsZtgDVHkm
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
ORBIT_LOADER.exe
-
Size
257KB
-
MD5
f31c297fc1d49b4a3d0a05a581cb9cb5
-
SHA1
fbd8e4fe4593dc695401224a83e306b69f8cb57b
-
SHA256
5ee96940638e550bee88191b5e0833e14bd97ebd3434ac796012624aca1089a7
-
SHA512
9d6285fb3f390c3a08ce0bb167a9eeeb2f7930ff72d44e1616156c7db81781686424fa108246203c6d462c14b5bc952913f67234615d512448853a5577febf74
-
SSDEEP
3072:kQO0XlV3MLxP2Zo2qwbK6XWRRzBBpDkqyG2gs2FqwetiE1fG3wCbTMzu:kQrvAxQLUzR3pOc3IwyirwCc
Score7/10-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-