General
-
Target
coin.b.bat
-
Size
91KB
-
Sample
240525-rcvsfafe67
-
MD5
520c1190bbbe3a7359a6e72f76618245
-
SHA1
50d5e441a97aad127e8d5ad8c28c848b3be02c5d
-
SHA256
91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0
-
SHA512
98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749
-
SSDEEP
1536:HtkPhsAgh2YhIXwWIN0hdI7E5WQTpJlqb3mE81vT1dkYHcga3kplWaEDN4nVoLuR:NeCAgX+vIuEE5PlJAb3mE81L1dkhX3mV
Static task
static1
Behavioral task
behavioral1
Sample
coin.b.bat
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
coin.b.bat
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
continue-silk.gl.at.ply.gg:58347
127.0.0.1:58347
-
Install_directory
%Temp%
-
install_file
steamwebhelper.exe
Targets
-
-
Target
coin.b.bat
-
Size
91KB
-
MD5
520c1190bbbe3a7359a6e72f76618245
-
SHA1
50d5e441a97aad127e8d5ad8c28c848b3be02c5d
-
SHA256
91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0
-
SHA512
98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749
-
SSDEEP
1536:HtkPhsAgh2YhIXwWIN0hdI7E5WQTpJlqb3mE81vT1dkYHcga3kplWaEDN4nVoLuR:NeCAgX+vIuEE5PlJAb3mE81L1dkhX3mV
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-