General
-
Target
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
Size
87KB
-
Sample
240522-1e9h2shf2y
-
MD5
ab378d6539627c52dbfc272c83eb420c
-
SHA1
039060f0fdefbe0a62147a7bbad9b1a526a78d61
-
SHA256
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
SHA512
afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222
-
SSDEEP
1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ
Static task
static1
Behavioral task
behavioral1
Sample
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Targets
-
-
Target
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
Size
87KB
-
MD5
ab378d6539627c52dbfc272c83eb420c
-
SHA1
039060f0fdefbe0a62147a7bbad9b1a526a78d61
-
SHA256
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
SHA512
afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222
-
SSDEEP
1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-