General
-
Target
fix.exe
-
Size
35KB
-
Sample
240701-n9bt2s1akf
-
MD5
83bbe29b99a54bad48074efb72ce1fcc
-
SHA1
421deeba13130a8eebacc8c7f48f28e6fe8485f2
-
SHA256
99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
-
SHA512
67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
-
SSDEEP
768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7
Behavioral task
behavioral1
Sample
fix.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
fix.exe
Resource
win7-20240611-en
Behavioral task
behavioral3
Sample
fix.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
fix.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
5.0
20.ip.gl.ply.gg:53765
JCfj6Aifpywc6Ul9
-
Install_directory
%AppData%
-
install_file
svchost.exe
Extracted
44caliber
https://discordapp.com/api/webhooks/1257280785476489217/L0UpV_ifGB55FAhZrd11A9RdK3XS9SxV4y_plmFbDZcUnmaJOTP9fgCIl4fpiKvDuv1o
Targets
-
-
Target
fix.exe
-
Size
35KB
-
MD5
83bbe29b99a54bad48074efb72ce1fcc
-
SHA1
421deeba13130a8eebacc8c7f48f28e6fe8485f2
-
SHA256
99bf031f23b1759702a56ccfc9425f0a063654dcc4a94d8feeb89792c82f3082
-
SHA512
67fe2ac907c297cd3c4d1af7f80257b468bc4e73cab428568ea1238d41cd8c43262765a0b0d43b2accb003901a66e9e7ec162fefda2fd89040697e1e168ac27f
-
SSDEEP
768:ChiLce92aOrsQiUy5FyS9ZL6LOjhibold:ChkceWsQi5FT9ZL6LOjGo7
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-