General
-
Target
2024-05-30_f189d5cd0a010355a57583247f386c41_hiddentear
-
Size
162KB
-
Sample
240530-e69r8sfg47
-
MD5
f189d5cd0a010355a57583247f386c41
-
SHA1
72c0849b4b0639582220b39b21a55b0bc287e56a
-
SHA256
d77887e43b9073cfbb4eb4fecb647c002fc71cd7fe528bacedd78c08e9f4664a
-
SHA512
ce9d145552e5782303db84d84c5915771bfd166660728b4508acc6ec6a832a5e7fe501aac736ed3c5d52aced2b1f1235e04a1388e9cdb7790cdec6b80ea09e4d
-
SSDEEP
3072:OauONY0bWpbxfl4HHOgs+M+lmsolAIrRuw+mqv9j1MWLQd:JTqbIHOd+lDAA
Behavioral task
behavioral1
Sample
2024-05-30_f189d5cd0a010355a57583247f386c41_hiddentear.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-30_f189d5cd0a010355a57583247f386c41_hiddentear.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
127.0.0.1:1010
-
Install_directory
%AppData%
-
install_file
mobejaia.exe
Targets
-
-
Target
2024-05-30_f189d5cd0a010355a57583247f386c41_hiddentear
-
Size
162KB
-
MD5
f189d5cd0a010355a57583247f386c41
-
SHA1
72c0849b4b0639582220b39b21a55b0bc287e56a
-
SHA256
d77887e43b9073cfbb4eb4fecb647c002fc71cd7fe528bacedd78c08e9f4664a
-
SHA512
ce9d145552e5782303db84d84c5915771bfd166660728b4508acc6ec6a832a5e7fe501aac736ed3c5d52aced2b1f1235e04a1388e9cdb7790cdec6b80ea09e4d
-
SSDEEP
3072:OauONY0bWpbxfl4HHOgs+M+lmsolAIrRuw+mqv9j1MWLQd:JTqbIHOd+lDAA
Score10/10-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-