General
-
Target
launcher.exe
-
Size
284KB
-
Sample
240916-vge5bsygpj
-
MD5
ec46ff697f5c18c43434dce6236aeaf6
-
SHA1
c77d4a14822e6c5f7bcffdc0a5e6a1345c948e84
-
SHA256
bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b
-
SHA512
d065758bf6397d348678c0aae5df77d68188fe55a26557770aa055fa330243050189862651bdbb5dde60d13cdf323f2fc5815d4090294fb9c22b714cd96d07d9
-
SSDEEP
6144:F8emLf5K/nSiKWiB3XjdOwkL1xO51jwoT98Laf6TUIa1bq/KMw:qeAxKPPiB3zEjLPCUkf6J
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument
Targets
-
-
Target
launcher.exe
-
Size
284KB
-
MD5
ec46ff697f5c18c43434dce6236aeaf6
-
SHA1
c77d4a14822e6c5f7bcffdc0a5e6a1345c948e84
-
SHA256
bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b
-
SHA512
d065758bf6397d348678c0aae5df77d68188fe55a26557770aa055fa330243050189862651bdbb5dde60d13cdf323f2fc5815d4090294fb9c22b714cd96d07d9
-
SSDEEP
6144:F8emLf5K/nSiKWiB3XjdOwkL1xO51jwoT98Laf6TUIa1bq/KMw:qeAxKPPiB3zEjLPCUkf6J
Score10/10-
Detect Xworm Payload
-
Phemedrone
An information and wallet stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-