General
-
Target
e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
-
Size
297KB
-
Sample
240809-zj4b6aybnm
-
MD5
9b650b738d97c0e39717fe86401a6726
-
SHA1
34f361ab5024ad4390a3906cb3fff5a7b5f7e656
-
SHA256
e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
-
SHA512
a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
-
SSDEEP
6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs
Malware Config
Extracted
xworm
engineering-thoroughly.gl.at.ply.gg:32901
20.ip.gl.ply.gg:32901
-
install_file
USB.exe
Targets
-
-
Target
e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
-
Size
297KB
-
MD5
9b650b738d97c0e39717fe86401a6726
-
SHA1
34f361ab5024ad4390a3906cb3fff5a7b5f7e656
-
SHA256
e94a439b85ca5bc7d19dda9a6ea43d921c385f99dedf8b6a6560cb747e43e264
-
SHA512
a6664916c5c1bfd66e58face5c1811f95b6489c3e1d4728d4efee92233192fb145c8f0cca46582d560356b92732a8727794a7d8765d16c4df567eb5eb84b1e30
-
SSDEEP
6144:Ka4InuJg58BkgqPoDH49n8Bb/cQ/gW/tQtbgk3KlRWvWl/HrrACG7:Kat0EAH49n8BLgSZQKXW+l/HnACs
Score10/10-
Detect Xworm Payload
-
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
-
Xworm
Xworm is a remote access trojan written in C#.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-