General
-
Target
Mercurial.exe
-
Size
3.4MB
-
Sample
240425-bpph7acg34
-
MD5
098e9faf57bdcda0314e4f43cfbe9686
-
SHA1
3a245eedb31cafc62d3672885875489551b69283
-
SHA256
610e127f79bb023801c4964d5fb4ce85f8cc145f54be11eb3dbe685c5e927db0
-
SHA512
202e533c0a0a535add4e6a19a04b2fa36e486a3b058981d522cc2b961af4dd189d69f20cf77aebad31bc5e1eaef183a4ed6d6948c62ea7ceabd226a7c9fe05b1
-
SSDEEP
98304:hNkjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:hxzJpjS346t1bIfuq07
Behavioral task
behavioral1
Sample
Mercurial.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Mercurial.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
xworm
147.185.221.17:53478
-
Install_directory
%Temp%
-
install_file
Runbroker.exe
Targets
-
-
Target
Mercurial.exe
-
Size
3.4MB
-
MD5
098e9faf57bdcda0314e4f43cfbe9686
-
SHA1
3a245eedb31cafc62d3672885875489551b69283
-
SHA256
610e127f79bb023801c4964d5fb4ce85f8cc145f54be11eb3dbe685c5e927db0
-
SHA512
202e533c0a0a535add4e6a19a04b2fa36e486a3b058981d522cc2b961af4dd189d69f20cf77aebad31bc5e1eaef183a4ed6d6948c62ea7ceabd226a7c9fe05b1
-
SSDEEP
98304:hNkjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:hxzJpjS346t1bIfuq07
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-