General
-
Target
XBinderOutput.exe
-
Size
269KB
-
Sample
240907-lmj6ssxdlr
-
MD5
8b45e5989e41d1512ab5aeb7e79a0646
-
SHA1
bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
-
SHA256
3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
-
SHA512
c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
-
SSDEEP
6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J
Static task
static1
Behavioral task
behavioral1
Sample
XBinderOutput.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
XBinderOutput.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7375773294:AAFZUnpXCxGuVizu2hOj5WMYl9ULnbeqZ6c/sendDocument
Extracted
xworm
5.0
89.31.122.114:1488
8hQA9bqDdqRhTokn
-
Install_directory
%LocalAppData%
-
install_file
Microsoft Teams.exe
Targets
-
-
Target
XBinderOutput.exe
-
Size
269KB
-
MD5
8b45e5989e41d1512ab5aeb7e79a0646
-
SHA1
bb5eac66225b3fda93ad83a1eb5d98ace5b9c6d4
-
SHA256
3c74b4676f493cabec4327fc8f9f95a4e1755d3f7d1e156dc076b5915495682b
-
SHA512
c753483cd538e856e894e0b4d5d9211b07e17b02209bc463d6afc5e645e627b2385ee46b8a8c7825eda617e20fd6b318750d878e3fc7a9f3d1ff0a83b44064af
-
SSDEEP
6144:gDixhyqtRZ2XdRB3XjdOwkL1xOnD+Y96xf6TUIa1bq/KMw:gmxhHtRZqdRB3zEjLPPf6J
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-