General
-
Target
MOT-DE-PASSE.js
-
Size
24KB
-
Sample
240920-zpq9saxfpl
-
MD5
3568415c8644c0e6a231927bb26c3307
-
SHA1
3cdece2baabd90c46b4b10d8fc14dfbbc7352651
-
SHA256
914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622
-
SHA512
465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe
-
SSDEEP
768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ
Static task
static1
Behavioral task
behavioral1
Sample
MOT-DE-PASSE.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MOT-DE-PASSE.js
Resource
win10v2004-20240802-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
developerpro21578Jp@@
Extracted
xworm
5.0
moneyluckwork.ddns.net:7000
moneyluck.duckdns.org:7000
gGehVFEiZl8AfiDz
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Extracted
gurcu
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Targets
-
-
Target
MOT-DE-PASSE.js
-
Size
24KB
-
MD5
3568415c8644c0e6a231927bb26c3307
-
SHA1
3cdece2baabd90c46b4b10d8fc14dfbbc7352651
-
SHA256
914710d214497ca13da8f3ce50aae097c508ac9b45596c1728404a5a85258622
-
SHA512
465238863185d29bede8da70f823d1ac78874768962a726b1262f65411547cd9d2502d78ea5633642b2a26cbeb754ea1c174d4fcf0229d99035fd5c0a98227fe
-
SSDEEP
768:mUj6N48QwfUtVRd64neTcgc0N4DnW2N2Tcc4Hg/0IeSpQYQBcRRuv1mcifM+oQ4a:AfGefZD/MFiZ
-
Detect Xworm Payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1