General
-
Target
Nursultan Beta.exe
-
Size
1.5MB
-
Sample
240502-t1f1ascg8w
-
MD5
b8317db1ac92a4c14e7d0d8f3539ae43
-
SHA1
22a2385c9bbfce788b08fc24f33f8a0adaefd78e
-
SHA256
d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c
-
SHA512
e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993
-
SSDEEP
12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1235294310178492458/n1tsVRd4bDgNQjTi7wJYLYEgwzKAtqbw0H2CgwWJ4hG1R016D9ZXGq5Kouec9-4BGOgv
Extracted
xworm
phentermine-partial.gl.at.ply.gg:36969
-
Install_directory
%Temp%
-
install_file
Astral.exe
-
telegram
https://api.telegram.org/bot7080511499:AAGFFOA3S2vvwmEy85SIMhKHrMsAdBoLR2Y
Targets
-
-
Target
Nursultan Beta.exe
-
Size
1.5MB
-
MD5
b8317db1ac92a4c14e7d0d8f3539ae43
-
SHA1
22a2385c9bbfce788b08fc24f33f8a0adaefd78e
-
SHA256
d0e3960cfc407d95abdf059048bef502b65dbd149d977ad44be858c9163d9e6c
-
SHA512
e919b5e87bc12ea0a38ca844ad2cb7d554b80357944d9d53a5bd79cdff8e8206fc06e75f7b710e9c59a90345e42d531993704b8a77532f8bd22e162ce15f5993
-
SSDEEP
12288:Sr4lDQ0JHD6AUsEp8zLghZM5Qr4lDQ0JHD6AUsEp8zDjuPKv7MYdzJaifWz3BY1q:ScdzJ9ubKQcdzJ9uwjxnWVwBjxnWVwc
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-