General
-
Target
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
Size
7.0MB
-
Sample
240924-z2cxxsyepd
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
Static task
static1
Behavioral task
behavioral1
Sample
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260.exe
Resource
win7-20240729-en
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Extracted
gurcu
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Targets
-
-
Target
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
Size
7.0MB
-
MD5
f52edee9472d973f7aedaa58baed96e6
-
SHA1
dee4734806f0a47e81627a66b2c75e5ec37b6b1a
-
SHA256
56747e2199faa9d6a532d07432f7f784f1ab773bfbae4bc2c4384574c035a260
-
SHA512
1568f66ea43208900e1800ac59946f92d426d05d00783decdce31eb088ec54cd467adf640e5b2a5388f5ee6ccd2840dfe551f9ae18c06b168a469ec18a85ef0b
-
SSDEEP
98304:bmurSHFk4vh9IWa/LP3Nm9Zlxne1uxetbDEgovbddnY6Jy3yH/O:b6m7P3Nm9ZWiADEp5F0R
-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-