General
-
Target
Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
-
Size
68.4MB
-
Sample
240927-j9avjaweld
-
MD5
fafa18991a490387dc823be9adf6e29f
-
SHA1
eab943f4576e79904a94055926484747189c77de
-
SHA256
eff974059b7909f8283fdb630a6951d83b772470bf96d748f7510ec73dfeca13
-
SHA512
ecc5cd90108371ea2d5f999e6b95af106dfbb392e500943fa983702f334ef8c00d573ec9eebf70e9238c3e4d20faab6533676bdd01f6d23e8f5b32e7e2fc4c59
-
SSDEEP
1572864:I+zJ89Xx5ouCMhpsJLGix8PJXz8twcwcnLBw2+TGeRBeWqJ58v9AvgPsDrTSC:F8J/oEhWJLPuJjrcwcN/YnRQjJ9gPESC
Static task
static1
Behavioral task
behavioral1
Sample
Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
Resource
win7-20240704-en
Malware Config
Extracted
lumma
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
Extracted
xworm
5.0
lun.servepics.com:25902
gUAMuTh5gjsDB7Ov
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0
Extracted
lumma
https://gutterydhowi.shop/api
https://ghostreedmnu.shop/api
https://offensivedzvju.shop/api
https://vozmeatillu.shop/api
https://drawzhotdog.shop/api
https://fragnantbui.shop/api
https://stogeneratmns.shop/api
https://reinforcenh.shop/api
https://ballotnwu.site/api
Extracted
gurcu
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755
Targets
-
-
Target
Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
-
Size
68.4MB
-
MD5
fafa18991a490387dc823be9adf6e29f
-
SHA1
eab943f4576e79904a94055926484747189c77de
-
SHA256
eff974059b7909f8283fdb630a6951d83b772470bf96d748f7510ec73dfeca13
-
SHA512
ecc5cd90108371ea2d5f999e6b95af106dfbb392e500943fa983702f334ef8c00d573ec9eebf70e9238c3e4d20faab6533676bdd01f6d23e8f5b32e7e2fc4c59
-
SSDEEP
1572864:I+zJ89Xx5ouCMhpsJLGix8PJXz8twcwcnLBw2+TGeRBeWqJ58v9AvgPsDrTSC:F8J/oEhWJLPuJjrcwcN/YnRQjJ9gPESC
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-