General
-
Target
penos.zip
-
Size
82.3MB
-
Sample
240527-ncjhmaad76
-
MD5
7bfab1f4c9a40cf240fae1b31bef8a08
-
SHA1
9aa74dc1c17c3e89e118e9098a55e5e5d9b394bd
-
SHA256
da87a51e5599493f619348e983e447e3c3ffdb59acebd8b69119a4f272daa85c
-
SHA512
bdc529b61383150320c423bdb5bf55afbaf8697f0dea6be4f29ee67333000026ed5f218bf91b6cccb60b210c516c2f4845786357a1cfef888bd0b5af2ef06c1c
-
SSDEEP
1572864:mAjAq4HBwDHup/Eys11xDzNBwYw76w6b536dHwipDxU95aZ8YCztZXcfzr+MA:/0iStsHxDzXwYwsQdQQDxU95aaLBMA
Behavioral task
behavioral1
Sample
penos.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
penos.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
FizzyLoader/.FizzyLoader..exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
FizzyLoader/.FizzyLoader..exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
lute4ql2kQEsQ5jF
-
Install_directory
%LocalAppData%
-
install_file
Steam.exe
-
pastebin_url
https://pastebin.com/raw/L03qgun0
-
telegram
https://api.telegram.org/bot6993229957:AAHEakdfReLdmvZfu_SKkbkjQu_FQo8OuNM/sendMessage?chat_id=6997816064
Targets
-
-
Target
penos.zip
-
Size
82.3MB
-
MD5
7bfab1f4c9a40cf240fae1b31bef8a08
-
SHA1
9aa74dc1c17c3e89e118e9098a55e5e5d9b394bd
-
SHA256
da87a51e5599493f619348e983e447e3c3ffdb59acebd8b69119a4f272daa85c
-
SHA512
bdc529b61383150320c423bdb5bf55afbaf8697f0dea6be4f29ee67333000026ed5f218bf91b6cccb60b210c516c2f4845786357a1cfef888bd0b5af2ef06c1c
-
SSDEEP
1572864:mAjAq4HBwDHup/Eys11xDzNBwYw76w6b536dHwipDxU95aZ8YCztZXcfzr+MA:/0iStsHxDzXwYwsQdQQDxU95aaLBMA
Score1/10 -
-
-
Target
FizzyLoader/.FizzyLoader..exe
-
Size
296KB
-
MD5
0b65f0386ba941b6b611c06e5fc13bc9
-
SHA1
2b14f00ea554baa5f77c764078bd3f6e5f196178
-
SHA256
b240d620b5fcd62182a16433c4990014d0a67e3a096838c0e6b2d849140b3199
-
SHA512
211e93004a447bde01f0f8d9426c05026b6acb2ced055166a2e2a551d93d62d8a96173efdb99617bb200234d00d76207a5321f5b442fb087aa75097b1801fd1c
-
SSDEEP
6144:PhLY3fHcPBkpHPR8WIS9XgorLS6PaOKI0qc8cDbcVdH:6I6pvBqEeqc7sH
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-