General
-
Target
Shellbag anylizer.exe
-
Size
69KB
-
Sample
240613-1vqe4s1hph
-
MD5
a498059077fb136b7d57ef6f00dcae46
-
SHA1
77421f91ed2c1586419128bd4687241050d712cc
-
SHA256
8f2d3eeab5e5d807acff4be9b7d6b41340f0c8a891baa094543d10e65ccec7f2
-
SHA512
3bec766aa97ed8b89c8be1c4da89befc5f22217637f72d158753996b2ed74439cf485e7692f4f1fa522d31ceb608c86b9035e9c594fcb147a91edf4547ac14c3
-
SSDEEP
1536:bS3U8pWjIK2vvt8yAnkEZ6sPvWybW46zaQInA6dylkYcdOisYt2jNsXr:bWfWjXENk6wpbW4B9SSOisYsxer
Behavioral task
behavioral1
Sample
Shellbag anylizer.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Shellbag anylizer.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/qEVZXv39
Extracted
umbral
https://discord.com/api/webhooks/1228033288061583443/fMN2NuuQRV7pkiIZ0PwY980zozE_UYckmNOKmsrzvNf0xKeDmgGvDkNwC07bWCnl3OgB
Targets
-
-
Target
Shellbag anylizer.exe
-
Size
69KB
-
MD5
a498059077fb136b7d57ef6f00dcae46
-
SHA1
77421f91ed2c1586419128bd4687241050d712cc
-
SHA256
8f2d3eeab5e5d807acff4be9b7d6b41340f0c8a891baa094543d10e65ccec7f2
-
SHA512
3bec766aa97ed8b89c8be1c4da89befc5f22217637f72d158753996b2ed74439cf485e7692f4f1fa522d31ceb608c86b9035e9c594fcb147a91edf4547ac14c3
-
SSDEEP
1536:bS3U8pWjIK2vvt8yAnkEZ6sPvWybW46zaQInA6dylkYcdOisYt2jNsXr:bWfWjXENk6wpbW4B9SSOisYsxer
-
Detect Umbral payload
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-