General
-
Target
WizClient.exe
-
Size
68KB
-
Sample
240524-htqelshc3x
-
MD5
e076fab0807e1c2cbe8ae691e908cb8d
-
SHA1
dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12
-
SHA256
0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954
-
SHA512
6487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8
-
SSDEEP
1536:g6uON87iC5AkJYdPF2JTbjqFFdZ6a6OYKWT5k:gRON8+C+2YlYxbjIf6Oju5k
Behavioral task
behavioral1
Sample
WizClient.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
WizClient.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:61510
wiz.bounceme.net:6000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7064074256:AAEPKggwUFFbQfBDcAFetu5l4vMWNokFVfg/sendMessage?chat_id=6851754348
Targets
-
-
Target
WizClient.exe
-
Size
68KB
-
MD5
e076fab0807e1c2cbe8ae691e908cb8d
-
SHA1
dc6c4c935b460fa0413f4bf04c2cdf474cc3dc12
-
SHA256
0fbe615cf00da3b08bd0aac5c5c0f7c20a66d66f388436c6e361bfea0a0c6954
-
SHA512
6487a6f4f05b9ecebf336cda0a79fc55d27c73900553d2ba397242c149f8eb1c4132d2e5605452b91577ce94560c2b85a151ccd23ce3293366e5fe69da0ebda8
-
SSDEEP
1536:g6uON87iC5AkJYdPF2JTbjqFFdZ6a6OYKWT5k:gRON8+C+2YlYxbjIf6Oju5k
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-