General
-
Target
reflgnp.exe
-
Size
79KB
-
Sample
240509-vst3magd26
-
MD5
863711c10c1844754fca2729ac0f0380
-
SHA1
2836a5baebb141188c2f845453a2c7700ed6e40f
-
SHA256
a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd
-
SHA512
6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6
-
SSDEEP
1536:YA2ixxSE7SX6TkIjnG18PyC+uF8iqUH3pbLYkDlGe4QDDa2OYoFpUrps24u:LgIu8PlxpbLYslNODF1u
Behavioral task
behavioral1
Sample
reflgnp.exe
Resource
win11-20240426-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/cVQrB6DR
Targets
-
-
Target
reflgnp.exe
-
Size
79KB
-
MD5
863711c10c1844754fca2729ac0f0380
-
SHA1
2836a5baebb141188c2f845453a2c7700ed6e40f
-
SHA256
a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd
-
SHA512
6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6
-
SSDEEP
1536:YA2ixxSE7SX6TkIjnG18PyC+uF8iqUH3pbLYkDlGe4QDDa2OYoFpUrps24u:LgIu8PlxpbLYslNODF1u
Score10/10-
Detect Xworm Payload
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage
-
Modifies Installed Components in the registry
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1