General
-
Target
launcher.exe
-
Size
291KB
-
Sample
240916-tq5wnsxcrj
-
MD5
11501a69ddf54287446e4cffa4d268a3
-
SHA1
09bab84093ed44ec38bc240459c9e1905762110f
-
SHA256
8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
-
SHA512
bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
-
SSDEEP
6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J
Static task
static1
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument
Targets
-
-
Target
launcher.exe
-
Size
291KB
-
MD5
11501a69ddf54287446e4cffa4d268a3
-
SHA1
09bab84093ed44ec38bc240459c9e1905762110f
-
SHA256
8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
-
SHA512
bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
-
SSDEEP
6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-