General
-
Target
alint Injector.exe
-
Size
421KB
-
Sample
240426-p6gfsscb48
-
MD5
0da7db970ca52a95cba75fcdaeffc234
-
SHA1
ed3c5a22e314ecb49dc986850d7584507d28d1ec
-
SHA256
2243ca5017e8cf7c354213ff586c9a356b6029c5066fca3d65993d721098026c
-
SHA512
4d7df30b85e808207eb80dbe8e953ed3556959e68ecede9c1c2c7dbf78ef59dd58934216f1c8de8c33adbd36143e33402515c96bdfbbdbbc52f0a90ea9573087
-
SSDEEP
6144:2LtdFT6MDdbICydeBvRaifWp93duW6jmA1D00Yp0YsoG6bx8LW:6dzJaifWz3BY1D8pXl8LW
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Targets
-
-
Target
alint Injector.exe
-
Size
421KB
-
MD5
0da7db970ca52a95cba75fcdaeffc234
-
SHA1
ed3c5a22e314ecb49dc986850d7584507d28d1ec
-
SHA256
2243ca5017e8cf7c354213ff586c9a356b6029c5066fca3d65993d721098026c
-
SHA512
4d7df30b85e808207eb80dbe8e953ed3556959e68ecede9c1c2c7dbf78ef59dd58934216f1c8de8c33adbd36143e33402515c96bdfbbdbbc52f0a90ea9573087
-
SSDEEP
6144:2LtdFT6MDdbICydeBvRaifWp93duW6jmA1D00Yp0YsoG6bx8LW:6dzJaifWz3BY1D8pXl8LW
Score10/10-
44Caliber
An open source infostealer written in C#.
-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-