General
-
Target
Loader V2.exe
-
Size
8.1MB
-
Sample
240802-ncf3hawbqk
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
Static task
static1
Behavioral task
behavioral1
Sample
Loader V2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Loader V2.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Loader V2.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral4
Sample
Loader V2.exe
Resource
win11-20240730-en
Malware Config
Extracted
xworm
147.185.221.20:13908
147.185.221.16:60401
-
Install_directory
%AppData%
-
install_file
svhost.exe
-
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Targets
-
-
Target
Loader V2.exe
-
Size
8.1MB
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1