General
-
Target
SexyBoy.bat
-
Size
454B
-
Sample
240526-xf436sga7y
-
MD5
3d258a032b33d7f0e9c77be2db34372f
-
SHA1
5530871c1fc729da367eb1c862ac73e093267e5d
-
SHA256
9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c
-
SHA512
18758cf96aa96a864125905d2de869f63a0d723b8ea39e651cc846b7b599c62f0b16b0341b707d127a5314d505e3f26ed2a0cea4231d8743c3055c2528687f41
Static task
static1
Behavioral task
behavioral1
Sample
SexyBoy.bat
Resource
win10-20240404-en
Malware Config
Extracted
https://github.com/Proxyonly/wewewewe/raw/main/Security.exe
Extracted
xworm
3.1
paris-disciplinary.gl.at.ply.gg:63286
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
SexyBoy.bat
-
Size
454B
-
MD5
3d258a032b33d7f0e9c77be2db34372f
-
SHA1
5530871c1fc729da367eb1c862ac73e093267e5d
-
SHA256
9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c
-
SHA512
18758cf96aa96a864125905d2de869f63a0d723b8ea39e651cc846b7b599c62f0b16b0341b707d127a5314d505e3f26ed2a0cea4231d8743c3055c2528687f41
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-