General
-
Target
Opera.exe
-
Size
319KB
-
Sample
240426-qhm44scd74
-
MD5
f69924b642ac4b9ef1dfacdfd43759a9
-
SHA1
95da50564c7cbc3749148419c68a08b0f2869ee1
-
SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
-
SHA512
2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
-
SSDEEP
6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1233119648527159317/Az86qBZQwyED_alc1sGO6UWR18PzIJCJX0PM3XdL1VTOwZPXr0B4Rc6-GqAkKUjg4Jn2
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%AppData%
-
install_file
Client.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Targets
-
-
Target
Opera.exe
-
Size
319KB
-
MD5
f69924b642ac4b9ef1dfacdfd43759a9
-
SHA1
95da50564c7cbc3749148419c68a08b0f2869ee1
-
SHA256
d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18
-
SHA512
2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07
-
SSDEEP
6144:48loZMCrIkd8g+EtXHkv/iD4DDUgoOJBiLHaIJtM34b8e1mmiW2brXv5P:7oZRL+EP8DDUgoOJBiLHaIJtMQIL/5P
-
Detect Umbral payload
-
Detect Xworm Payload
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-