General
-
Target
UltraHook_2.exe
-
Size
1.3MB
-
Sample
240531-zmz4xach6z
-
MD5
c90ce470e5a8d57b0f4db2233a775ad9
-
SHA1
757c3abec71cc3cdcdc4bf7ac71ea188c436078d
-
SHA256
4220bc873c501c7a34f1b9a638a5e1f32aa9904e9a5fa22e9bc742cc0879ef9a
-
SHA512
473b3619945f10db78ccf13587f89fb115cf55929db8dd3de013c7f144e826460935f218c82776f2c1c2bc44926b5d07306fda2102bb286882bfd1a7a38f0d6e
-
SSDEEP
24576:0VDTk3iXN0xaY2IB5F6GnIxFeKHuleVvDIx6p1T5NqNeOSarvZu8axUS2N:uomm1BjnIjRuleVvDIx6pbNqMl6faxUx
Static task
static1
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/Jt9Xgc6v
Targets
-
-
Target
UltraHook_2.exe
-
Size
1.3MB
-
MD5
c90ce470e5a8d57b0f4db2233a775ad9
-
SHA1
757c3abec71cc3cdcdc4bf7ac71ea188c436078d
-
SHA256
4220bc873c501c7a34f1b9a638a5e1f32aa9904e9a5fa22e9bc742cc0879ef9a
-
SHA512
473b3619945f10db78ccf13587f89fb115cf55929db8dd3de013c7f144e826460935f218c82776f2c1c2bc44926b5d07306fda2102bb286882bfd1a7a38f0d6e
-
SSDEEP
24576:0VDTk3iXN0xaY2IB5F6GnIxFeKHuleVvDIx6p1T5NqNeOSarvZu8axUS2N:uomm1BjnIjRuleVvDIx6pbNqMl6faxUx
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-