General
-
Target
Installer.bat
-
Size
66KB
-
Sample
240524-dlhbtaba53
-
MD5
c51a341d4045678ac21ec499e8c9e992
-
SHA1
0e44988a81ff21a58456c3b782c7a51aafde1358
-
SHA256
f5650b450dedd0a0fec4a59e7412d1312352bd9088c5d2e934f863926b1c5dad
-
SHA512
8c51dd3ab2992871f702b255551f45c6cb2ed937774eac027a87dc4f2e2926a45433b4e56fc8e90dcf40a465d79280c0212c364070bd7e1dd6dfec177a430159
-
SSDEEP
1536:NoQ26vCtla+UARVN2PUPFK9QBib9ZKL/FhtGif3:3hvCvUi2Pi7BiYFhtGif3
Static task
static1
Behavioral task
behavioral1
Sample
Installer.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Installer.bat
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7777
45.145.41.147:7777
luZPyQax4mC0o3RE
-
Install_directory
%ProgramData%
-
install_file
WinUpdate.exe
Targets
-
-
Target
Installer.bat
-
Size
66KB
-
MD5
c51a341d4045678ac21ec499e8c9e992
-
SHA1
0e44988a81ff21a58456c3b782c7a51aafde1358
-
SHA256
f5650b450dedd0a0fec4a59e7412d1312352bd9088c5d2e934f863926b1c5dad
-
SHA512
8c51dd3ab2992871f702b255551f45c6cb2ed937774eac027a87dc4f2e2926a45433b4e56fc8e90dcf40a465d79280c0212c364070bd7e1dd6dfec177a430159
-
SSDEEP
1536:NoQ26vCtla+UARVN2PUPFK9QBib9ZKL/FhtGif3:3hvCvUi2Pi7BiYFhtGif3
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-