General
-
Target
seo-marketing.exe
-
Size
60.2MB
-
Sample
240806-gahd8avdle
-
MD5
2bf7d4849bcf39691c8c49ed1ac92f76
-
SHA1
f2c477fa8d31b6b4f69ec910d81edc230a696d8e
-
SHA256
133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2
-
SHA512
b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0
-
SSDEEP
1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL
Static task
static1
Behavioral task
behavioral1
Sample
seo-marketing.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
seo-marketing.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7373326479:AAFc-qF_6b4d0zpxZKNAYyps6FvSKGESa2U/sendMessage?chat_id=-4262874204
Targets
-
-
Target
seo-marketing.exe
-
Size
60.2MB
-
MD5
2bf7d4849bcf39691c8c49ed1ac92f76
-
SHA1
f2c477fa8d31b6b4f69ec910d81edc230a696d8e
-
SHA256
133e7b9b8be02554a282cc51be5a419d7c867bf0ad30939077121029843d4cd2
-
SHA512
b757b804c82e061c37aaa6e059f0a6a72da57beeddbf16ea898be4db60afddedb75051a512a11fa69a16120cd9b6c04e1646b7181f501ce3b785b4f995a864e0
-
SSDEEP
1572864:OgvxU1VpeCDiyPKKdBHYSA+H438beTcGleoL:Ogy1VrDmKdY38beTcloL
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-