General
-
Target
SantosExecutorInstaller.exe
-
Size
136KB
-
Sample
240508-r6w8cshg2x
-
MD5
2c2c3af94bc32c880278a8d8c4fa831c
-
SHA1
1ee1f7b2e91f66c8b79d6bb97924484580a9276d
-
SHA256
2ab6390fcc902b46d3df5107416223da2d1c275d80aab0b7b7d6c0ee8c219644
-
SHA512
7a774318d756e673ce761c480530e70f7dfa84ce7aaed162f577f19a4afa237695d9de1e1646019106ef52e8315025ec8ca9e0acd6aba13dd74773c7e9ea0efd
-
SSDEEP
3072:yOT7HFq9tiUOjoBz65/M6If+3Js+3JFkKeTnE:zRq9LxBt25
Behavioral task
behavioral1
Sample
SantosExecutorInstaller.exe
Resource
win7-20240221-en
Malware Config
Extracted
xworm
5.0
introduction-specifications.gl.at.ply.gg:47117
OJaM16tyEwtJe5lG
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7098399942:AAGbBTQcHRRS0fdzPhkmgHxFxRybEnM_OnM
Targets
-
-
Target
SantosExecutorInstaller.exe
-
Size
136KB
-
MD5
2c2c3af94bc32c880278a8d8c4fa831c
-
SHA1
1ee1f7b2e91f66c8b79d6bb97924484580a9276d
-
SHA256
2ab6390fcc902b46d3df5107416223da2d1c275d80aab0b7b7d6c0ee8c219644
-
SHA512
7a774318d756e673ce761c480530e70f7dfa84ce7aaed162f577f19a4afa237695d9de1e1646019106ef52e8315025ec8ca9e0acd6aba13dd74773c7e9ea0efd
-
SSDEEP
3072:yOT7HFq9tiUOjoBz65/M6If+3Js+3JFkKeTnE:zRq9LxBt25
-
Detect Xworm Payload
-
StormKitty payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-