General
-
Target
CTF.exe
-
Size
52KB
-
Sample
240503-v24nesbg9z
-
MD5
742202b5ba58f3d7070309cc25d55289
-
SHA1
30713b70173b58c33af8a85ccd1be2d87359b085
-
SHA256
27f05dfa1faa3d5e32972dd559db095a9b535f2f5698df247b26dd0a57bf1467
-
SHA512
fde78c427c05e5be820d3905776491ca29b8dd119cb8ab31d06daeb513e6f4b7769cf024ac45de7fdbdcb3359563b77df507350071d1bda3b17adda119d037cf
-
SSDEEP
768:uL2+qG2JR4W4HFDuayfrxym0EYOubkLyGQ0TqU6GO5hF8cHJ:HdunJuVDUlbkGGQOqU6GO5b3p
Behavioral task
behavioral1
Sample
CTF.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:15487
-
Install_directory
%AppData%
-
install_file
XClient.exe
Targets
-
-
Target
CTF.exe
-
Size
52KB
-
MD5
742202b5ba58f3d7070309cc25d55289
-
SHA1
30713b70173b58c33af8a85ccd1be2d87359b085
-
SHA256
27f05dfa1faa3d5e32972dd559db095a9b535f2f5698df247b26dd0a57bf1467
-
SHA512
fde78c427c05e5be820d3905776491ca29b8dd119cb8ab31d06daeb513e6f4b7769cf024ac45de7fdbdcb3359563b77df507350071d1bda3b17adda119d037cf
-
SSDEEP
768:uL2+qG2JR4W4HFDuayfrxym0EYOubkLyGQ0TqU6GO5hF8cHJ:HdunJuVDUlbkGGQOqU6GO5b3p
Score10/10-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-