General
-
Target
src.bat
-
Size
10.9MB
-
Sample
240504-efty4ace5z
-
MD5
0f4fd1c1d7779042723279142a04cb7b
-
SHA1
0c0ea12510e5347249289664342bf55700e014aa
-
SHA256
26203b41aadf119e6271db5ca06ae8e29ab6c1853163dc048c85b4e943c7e680
-
SHA512
e50e417c45d4fcdee499c813916e1e2e17ca63aa60e72b7bfe3726093aca365b97988998e42e0c647088f10d96aa64d065cda48aa6b9a8dfccc6721ab192b4f8
-
SSDEEP
49152:gum6TKHyL3RIoahdQB8X1pixsrq6beKCVPFnYYgG6eqxAcQ6cHKhU85gpSLfI5uw:+A
Static task
static1
Behavioral task
behavioral1
Sample
src.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
src.bat
Resource
win10v2004-20240419-en
Malware Config
Extracted
xworm
continue-silk.gl.at.ply.gg:58347
127.0.0.1:58347
-
Install_directory
%AppData%
-
install_file
steamwebhelper.exe
Targets
-
-
Target
src.bat
-
Size
10.9MB
-
MD5
0f4fd1c1d7779042723279142a04cb7b
-
SHA1
0c0ea12510e5347249289664342bf55700e014aa
-
SHA256
26203b41aadf119e6271db5ca06ae8e29ab6c1853163dc048c85b4e943c7e680
-
SHA512
e50e417c45d4fcdee499c813916e1e2e17ca63aa60e72b7bfe3726093aca365b97988998e42e0c647088f10d96aa64d065cda48aa6b9a8dfccc6721ab192b4f8
-
SSDEEP
49152:gum6TKHyL3RIoahdQB8X1pixsrq6beKCVPFnYYgG6eqxAcQ6cHKhU85gpSLfI5uw:+A
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
StormKitty payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-