General
-
Target
nerat.exe
-
Size
61KB
-
Sample
240620-k63xkszbkd
-
MD5
60797170ebbe376274cf30e64b127706
-
SHA1
648e9c31b92f4d3fb93e7ca8be73836883c41538
-
SHA256
405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
-
SHA512
754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
-
SSDEEP
1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP
Behavioral task
behavioral1
Sample
nerat.exe
Resource
win7-20240611-en
Malware Config
Extracted
xworm
127.0.0.1:32901
engineering-thoroughly.gl.at.ply.gg:32901
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
44caliber
https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X
Targets
-
-
Target
nerat.exe
-
Size
61KB
-
MD5
60797170ebbe376274cf30e64b127706
-
SHA1
648e9c31b92f4d3fb93e7ca8be73836883c41538
-
SHA256
405bdae4a67cc4a4e5a9d2f39acd2ea34f5054f4caa8b085f03bb1286dfb5105
-
SHA512
754d72a6b2a5428e64f0d8d58be0bd89a5f6a7c9ec646d08bccc981adf06567ab5191ba0a7768efe8ee8781bcd216e404a0ebaf55992a151e5536e26f8a93559
-
SSDEEP
1536:WzPVaddkiWRZrtTAdBxmiABbARE4TKQDmjav6/LnkO8AqYZP:Wz4CLTA9mi+bARsbLnkO8AxZP
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-