General
-
Target
Built.exe
-
Size
10.7MB
-
Sample
240521-rdgbfage9w
-
MD5
762348f1a6f0f39d9e461e5afd716581
-
SHA1
682a770c2ec6085049a2cc2b6da689906f949581
-
SHA256
5ee8240a671f3d87b1c4290dbd81350ae8a5809a801055a4eff2c9811ca9a0f9
-
SHA512
8b0606eb5c737edbea22124d774b4612e6a214e10b7f630da955866f74fbc4df1aa52504ddb7e5086a7283d8090b37ef6ffac74315a9fccf535802424aa2e961
-
SSDEEP
196608:Izhu+r7PnILLZWdoCOi8DwGcsAgeRtcGfcY3gtAr2e+SPz1:0r7M5li8k3meXcGfdWe+61
Malware Config
Extracted
xworm
127.0.0.1:40656
147.185.221.16:40656
-
Install_directory
%Userprofile%
-
install_file
WinDefenderClient.exe
Targets
-
-
Target
Built.exe
-
Size
10.7MB
-
MD5
762348f1a6f0f39d9e461e5afd716581
-
SHA1
682a770c2ec6085049a2cc2b6da689906f949581
-
SHA256
5ee8240a671f3d87b1c4290dbd81350ae8a5809a801055a4eff2c9811ca9a0f9
-
SHA512
8b0606eb5c737edbea22124d774b4612e6a214e10b7f630da955866f74fbc4df1aa52504ddb7e5086a7283d8090b37ef6ffac74315a9fccf535802424aa2e961
-
SSDEEP
196608:Izhu+r7PnILLZWdoCOi8DwGcsAgeRtcGfcY3gtAr2e+SPz1:0r7M5li8k3meXcGfdWe+61
-
Detect Xworm Payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-