General
-
Target
Downloads.exe
-
Size
411KB
-
Sample
240620-ngqshayfjk
-
MD5
87ac4c646fd5b62dbabf59fb6ef34fd7
-
SHA1
45832029b6cfa6c4020ee0e1f965bd5898d5f137
-
SHA256
65b6f1f4ac0fbc8a7a113548630b284a731e0b219bee029745f2710b6e02c51c
-
SHA512
b647910eaeaee60b8d2378986bf824dfddfd9b3a4e0f2a8a723406da1a6072bf9171ee12fd0178e027ddfdc4be8fbb4d74f9e94dd470d4342c6711dbe9ea02b7
-
SSDEEP
12288:Kat0EAH49n8BLaWNO8DlIlaRJ3wWxJS7Xy4WtZ:Ft24saW02pbWO4g
Static task
static1
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1253302699978526772/b5mqXVOEs47XQy9dHee2Po12VotJwgdPtLauhKlKoyBH-xF42vUZ2Glc0N58n1pvAEdH
Extracted
xworm
127.0.0.1:32901
engineering-thoroughly.gl.at.ply.gg:32901
-
Install_directory
%AppData%
-
install_file
OxyInstaller.exe
Targets
-
-
Target
Downloads.exe
-
Size
411KB
-
MD5
87ac4c646fd5b62dbabf59fb6ef34fd7
-
SHA1
45832029b6cfa6c4020ee0e1f965bd5898d5f137
-
SHA256
65b6f1f4ac0fbc8a7a113548630b284a731e0b219bee029745f2710b6e02c51c
-
SHA512
b647910eaeaee60b8d2378986bf824dfddfd9b3a4e0f2a8a723406da1a6072bf9171ee12fd0178e027ddfdc4be8fbb4d74f9e94dd470d4342c6711dbe9ea02b7
-
SSDEEP
12288:Kat0EAH49n8BLaWNO8DlIlaRJ3wWxJS7Xy4WtZ:Ft24saW02pbWO4g
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-