General
-
Target
801de46b2c66cd9de4e42994e453b705.bin
-
Size
16.2MB
-
Sample
240608-dyyjkahb84
-
MD5
9762d7ff3844a39c96d7e47d1cf09400
-
SHA1
58fea14cc4e95f078c4b14e4c50b60ff5653b585
-
SHA256
958c2c409b7f77dd4e60fb4995ec70331c7c5170285ac680b10c636ebb3f8692
-
SHA512
06d97cde90e6011adcdd4c04b711d7b72f9081b7bae1bfa38b05e2ab7377221069ed875d9cc729d817379a6990c833074a83acb759037082532c768e693385a3
-
SSDEEP
393216:FIUhUKnp+ufkAI9GLRA1msFZUjHGdyqvQI75ortLCwbOojKVDb:0mp+tT9/ZamGI7I5JbOojqDb
Static task
static1
Behavioral task
behavioral1
Sample
2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a.exe
Resource
win7-20240508-en
Malware Config
Extracted
xworm
3.1
185.91.127.220:7000
J7nl5MwCxTq9hrOG
-
install_file
USB.exe
Targets
-
-
Target
2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a.exe
-
Size
16.2MB
-
MD5
801de46b2c66cd9de4e42994e453b705
-
SHA1
e6f7f7d4e06c9948d062a5bad25da7d6f2ce1199
-
SHA256
2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a
-
SHA512
7a84ecc5e7f4213a229556d75869c14ab23f95cfcf0788869c102ce5a364c3d108ec5eff4e39c8f8cd10cd76f53006b5372530b7b03dc96a43211e4021041158
-
SSDEEP
393216:J3e2a9uurW2iUDWyoPmhPl61L/b/GeROY5CFPnaTTkZE:J309Lrj1rhN61TyRPuTk
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-