General
-
Target
Уолтер Уайт звонит, прими звонок.exe
-
Size
1.2MB
-
Sample
240528-plqtqsed84
-
MD5
125804856ef3d0de3e8af8c110b49f93
-
SHA1
5a6aab0ec49536fd531de79e8769f7c40c67003a
-
SHA256
a261eb0a0a1645eb704acc340579f4954677a9308a3a3fff7f18a8fa9fbe5639
-
SHA512
a91aa797093ac1cab925f889b9b9d2107c76441f207f7ffb6aec605b2ce11c324f75d0ded61eed2c089dd8c2c5eaa301402c3d0c59623f716f8bf6dbb736f8d3
-
SSDEEP
24576:2BjlatCWabvaqkwT4dXb7JAX05wfi8IbcBP8US9ACRNBtUg/Lt0WwbdP5u2:2tEH4zkwTgXb7RCfC4l8US97RNUyLt6l
Static task
static1
Behavioral task
behavioral1
Sample
Уолтер Уайт звонит, прими звонок.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Уолтер Уайт звонит, прими звонок.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:59926
-
Install_directory
%AppData%
-
install_file
svchost.exe
Targets
-
-
Target
Уолтер Уайт звонит, прими звонок.exe
-
Size
1.2MB
-
MD5
125804856ef3d0de3e8af8c110b49f93
-
SHA1
5a6aab0ec49536fd531de79e8769f7c40c67003a
-
SHA256
a261eb0a0a1645eb704acc340579f4954677a9308a3a3fff7f18a8fa9fbe5639
-
SHA512
a91aa797093ac1cab925f889b9b9d2107c76441f207f7ffb6aec605b2ce11c324f75d0ded61eed2c089dd8c2c5eaa301402c3d0c59623f716f8bf6dbb736f8d3
-
SSDEEP
24576:2BjlatCWabvaqkwT4dXb7JAX05wfi8IbcBP8US9ACRNBtUg/Lt0WwbdP5u2:2tEH4zkwTgXb7RCfC4l8US97RNUyLt6l
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-