General
-
Target
nigger.exe
-
Size
41KB
-
Sample
240428-dcy8zaeh6t
-
MD5
7820f5d5245b72be9f24ed477f87287b
-
SHA1
84ce2f3d43accdfb55916e7ec6faf3cab9ed2497
-
SHA256
1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
-
SHA512
68d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
-
SSDEEP
768:cTFHrDMQVZYwCxJAuwKFjHKShtF5PG9+zqOwhj3EuX3:6wQEdrAulzKSTFI9+zqOwNFX3
Behavioral task
behavioral1
Sample
nigger.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
nigger.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
uhdZU70lXCRBT2pC
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Targets
-
-
Target
nigger.exe
-
Size
41KB
-
MD5
7820f5d5245b72be9f24ed477f87287b
-
SHA1
84ce2f3d43accdfb55916e7ec6faf3cab9ed2497
-
SHA256
1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
-
SHA512
68d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
-
SSDEEP
768:cTFHrDMQVZYwCxJAuwKFjHKShtF5PG9+zqOwhj3EuX3:6wQEdrAulzKSTFI9+zqOwNFX3
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-