General
-
Target
NursultanLoader.exe
-
Size
72KB
-
Sample
240531-rpzl6abc2t
-
MD5
d590eb23f811fadbac7c9bbba0c5f5e8
-
SHA1
7cb1544e98620162de39055f148df4891f06ffcb
-
SHA256
9ea7e5655b847e770ee629b265bdde6d84756ceef2b6fc2849b67ced1c16b524
-
SHA512
dc7728efc0a824d5ad4f42c733a50d9b5514e10a4720780c4d18817ad7cc49aea23bcedc371684e72e90046e8220c655cbe416b042a6adb5be326ca6d26549ce
-
SSDEEP
1536:IX30DjAWkrWjuCnxu8Z3hbKL8BgW6y6nOyPCoGp:I0D0KPNFhbKtnOxh
Behavioral task
behavioral1
Sample
NursultanLoader.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:14677
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Targets
-
-
Target
NursultanLoader.exe
-
Size
72KB
-
MD5
d590eb23f811fadbac7c9bbba0c5f5e8
-
SHA1
7cb1544e98620162de39055f148df4891f06ffcb
-
SHA256
9ea7e5655b847e770ee629b265bdde6d84756ceef2b6fc2849b67ced1c16b524
-
SHA512
dc7728efc0a824d5ad4f42c733a50d9b5514e10a4720780c4d18817ad7cc49aea23bcedc371684e72e90046e8220c655cbe416b042a6adb5be326ca6d26549ce
-
SSDEEP
1536:IX30DjAWkrWjuCnxu8Z3hbKL8BgW6y6nOyPCoGp:I0D0KPNFhbKtnOxh
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-