General
-
Target
EZTEAM0.0.7.exe
-
Size
7.8MB
-
Sample
240426-pnffsabf73
-
MD5
79e6e964ad3a7e5b8008dc44553b784c
-
SHA1
63684848b7c4530aa24c96c6223fddd7e1417702
-
SHA256
a669abcbdbf3f91fcfdd6cb2d55c9ba68a020c11aaca6ddf0c5bbb5c234ed023
-
SHA512
7e7d9aa748766b12473b178ee95c728f266e86d14110deaf9eb1937ff5343a0b7aaf0c69388eb4a918a236e19b95a87035b20792e04627ce45c630bd02c45013
-
SSDEEP
196608:UuUTi2pHbUmUHtahgF8/LQS9fjvSG7LUIGmrl:gwmuahk8/LbxvSG7D1Z
Behavioral task
behavioral1
Sample
EZTEAM0.0.7.exe
Resource
win7-20240220-en
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Targets
-
-
Target
EZTEAM0.0.7.exe
-
Size
7.8MB
-
MD5
79e6e964ad3a7e5b8008dc44553b784c
-
SHA1
63684848b7c4530aa24c96c6223fddd7e1417702
-
SHA256
a669abcbdbf3f91fcfdd6cb2d55c9ba68a020c11aaca6ddf0c5bbb5c234ed023
-
SHA512
7e7d9aa748766b12473b178ee95c728f266e86d14110deaf9eb1937ff5343a0b7aaf0c69388eb4a918a236e19b95a87035b20792e04627ce45c630bd02c45013
-
SSDEEP
196608:UuUTi2pHbUmUHtahgF8/LQS9fjvSG7LUIGmrl:gwmuahk8/LbxvSG7D1Z
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-