General

  • Target

    Nursultan Beta.exe

  • Size

    1.5MB

  • Sample

    240502-t1f1ascg8w

  • MD5

    b8317db1ac92a4c14e7d0d8f3539ae43

  • SHA1

    22a2385c9bbfce788b08fc24f33f8a0adaefd78e

  • SHA256

    d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c

  • SHA512

    e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993

  • SSDEEP

    12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1235294310178492458/n1tsVRd4bDgNQjTi7wJYLYEgwzKAtqbw0H2CgwWJ4hG1R016D9ZXGq5Kouec9-4BGOgv

Extracted

Family

xworm

C2

phentermine-partial.gl.at.ply.gg:36969

Attributes
  • Install_directory

    %Temp%

  • install_file

    Astral.exe

  • telegram

    https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y

Targets

    • Target

      Nursultan Beta.exe

    • Size

      1.5MB

    • MD5

      b8317db1ac92a4c14e7d0d8f3539ae43

    • SHA1

      22a2385c9bbfce788b08fc24f33f8a0adaefd78e

    • SHA256

      d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c

    • SHA512

      e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993

    • SSDEEP

      12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc

    • 44Caliber

      An open source infostealer written in C#.

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks