General
-
Target
Setup.bat
-
Size
11.3MB
-
Sample
240710-wqsbpavbna
-
MD5
9aff8574d8d61060a26322de49f6e224
-
SHA1
a54fefc6c1f686df660a49dd27f343b156e7bedb
-
SHA256
a1605f71cbcf4725e72b5420c5c8a1c95d7e7a0b0f3b6c362da595630156ff44
-
SHA512
0c31c2b9a03345e0794a0c792c998e7612e6bd739aa1e54b3362d4a9b4138f0bfbaa6fd9cfc0f09dae4f28acac3e7b85f1d5a5ddff50ca3bdc97648585911d1e
-
SSDEEP
49152:Ve5orIoZAQ8VbY1a5csL7A1P5nfq1HTQ+HORrunnSc65rtrYY2I3yhyJglRfZ2kY:n
Static task
static1
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
Winhlp32.exe
Extracted
asyncrat
- Made By Mr.Joex
Default
times-rest.gl.at.ply.gg:6286
ndimkoqfvoe
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Setup.bat
-
Size
11.3MB
-
MD5
9aff8574d8d61060a26322de49f6e224
-
SHA1
a54fefc6c1f686df660a49dd27f343b156e7bedb
-
SHA256
a1605f71cbcf4725e72b5420c5c8a1c95d7e7a0b0f3b6c362da595630156ff44
-
SHA512
0c31c2b9a03345e0794a0c792c998e7612e6bd739aa1e54b3362d4a9b4138f0bfbaa6fd9cfc0f09dae4f28acac3e7b85f1d5a5ddff50ca3bdc97648585911d1e
-
SSDEEP
49152:Ve5orIoZAQ8VbY1a5csL7A1P5nfq1HTQ+HORrunnSc65rtrYY2I3yhyJglRfZ2kY:n
-
Detect Xworm Payload
-
Async RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-