General
-
Target
Offertopurchase.js
-
Size
329KB
-
Sample
240807-hkstdateqn
-
MD5
b4105714b83cef4f0d8d859364cd6322
-
SHA1
448f53b0c979beb7305db50a282bef00043e6840
-
SHA256
f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd
-
SHA512
91a19c5e098351e053de13d4c8ebe3677f2fec4aac7a63169a30ea147c75b0ce734e11011724ff6d7be7e7b2311ce9663ef9b6c52f2172febaca2c2f7cb03f0a
-
SSDEEP
768:P7rCumqiWTinPK6eOK6mW3XKqe+KqmG9NqaeOqamWX3qKuH+qKmGxBK6eOK6mW3G:rdvJ5strohpUtg1vx
Static task
static1
Behavioral task
behavioral1
Sample
Offertopurchase.js
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Offertopurchase.js
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
https://ia601606.us.archive.org/10/items/deathnote_202407/deathnote.jpg
Extracted
xworm
5.0
christyrusike21.duckdns.org:7000
znkTtudE0WUuGVBW
-
install_file
USB.exe
Targets
-
-
Target
Offertopurchase.js
-
Size
329KB
-
MD5
b4105714b83cef4f0d8d859364cd6322
-
SHA1
448f53b0c979beb7305db50a282bef00043e6840
-
SHA256
f7012ceb3f5f17167f1b0eb83dc97b3064ea92dc81d1151a2218112895142afd
-
SHA512
91a19c5e098351e053de13d4c8ebe3677f2fec4aac7a63169a30ea147c75b0ce734e11011724ff6d7be7e7b2311ce9663ef9b6c52f2172febaca2c2f7cb03f0a
-
SSDEEP
768:P7rCumqiWTinPK6eOK6mW3XKqe+KqmG9NqaeOqamWX3qKuH+qKmGxBK6eOK6mW3G:rdvJ5strohpUtg1vx
-
Detect Xworm Payload
-
StormKitty payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-