General
-
Target
DFySgza.exe
-
Size
722KB
-
Sample
240627-tjeqxayfqg
-
MD5
11121bcdb91ca10910dd73184e839eb9
-
SHA1
e6d77a60915615d8c6404b087dc501956e0a4a88
-
SHA256
623c0d2c26ef4d5a8911c8bee92271e12441dfd2b5de9ffed4ef63292eb13c11
-
SHA512
49ca60d27ba16580b77ecc1e36f22d5ddfa0b417cfeeda21b5d29e529a04d4bc4f3f361b58e210bf0293c0e13b2b20125fedd5e35edcbcfc0f11787332ba6d5a
-
SSDEEP
12288:UvnCG/5Mm1Uo5gvOFxg/2rwVmUBagLZZpLamotwEDdAIgU8Awwm0:Uv/BMm1UoyvMA2EFcgLZTaPwEhAIZwwR
Static task
static1
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Targets
-
-
Target
DFySgza.exe
-
Size
722KB
-
MD5
11121bcdb91ca10910dd73184e839eb9
-
SHA1
e6d77a60915615d8c6404b087dc501956e0a4a88
-
SHA256
623c0d2c26ef4d5a8911c8bee92271e12441dfd2b5de9ffed4ef63292eb13c11
-
SHA512
49ca60d27ba16580b77ecc1e36f22d5ddfa0b417cfeeda21b5d29e529a04d4bc4f3f361b58e210bf0293c0e13b2b20125fedd5e35edcbcfc0f11787332ba6d5a
-
SSDEEP
12288:UvnCG/5Mm1Uo5gvOFxg/2rwVmUBagLZZpLamotwEDdAIgU8Awwm0:Uv/BMm1UoyvMA2EFcgLZTaPwEhAIZwwR
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-