General
-
Target
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd.exe
-
Size
120KB
-
Sample
240526-bl6nasab26
-
MD5
4e1e436848d533c9a00b762ac148786d
-
SHA1
42962a264fbdbc96eb8267052298be9143ecd8bf
-
SHA256
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
-
SHA512
59d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d
-
SSDEEP
3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPxJ:pt5hBPi0BW69hd1MMdxPe9N9uA069TBz
Static task
static1
Behavioral task
behavioral1
Sample
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd.exe
Resource
win7-20240220-en
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Targets
-
-
Target
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd.exe
-
Size
120KB
-
MD5
4e1e436848d533c9a00b762ac148786d
-
SHA1
42962a264fbdbc96eb8267052298be9143ecd8bf
-
SHA256
efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
-
SHA512
59d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d
-
SSDEEP
3072:EV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPxJ:pt5hBPi0BW69hd1MMdxPe9N9uA069TBz
-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers
-
Detects executables using Telegram Chat Bot
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-