General
-
Target
409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e.exe
-
Size
65.8MB
-
Sample
241002-bkztcszcjq
-
MD5
4e57a4ffcd80f3323997b7f4d287c43b
-
SHA1
a5219f47566c3859d4163de2b2248779e4b348c3
-
SHA256
409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e
-
SHA512
db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279
-
SSDEEP
1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk
Static task
static1
Behavioral task
behavioral1
Sample
409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e.exe
Resource
win7-20240903-en
Malware Config
Extracted
lumma
Extracted
xworm
5.0
lun.servepics.com:25902
gUAMuTh5gjsDB7Ov
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0
Extracted
lumma
https://gravvitywio.store/api
Extracted
gurcu
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755
Targets
-
-
Target
409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e.exe
-
Size
65.8MB
-
MD5
4e57a4ffcd80f3323997b7f4d287c43b
-
SHA1
a5219f47566c3859d4163de2b2248779e4b348c3
-
SHA256
409b00bb07631e7425f5818b5badbee0e30491a7a89849ccefc6852d78af434e
-
SHA512
db7ecfc778bcd02b7ab2ad0845120c1303c97831151c83316e1d3b731f8ae41e73a18791d5774d60b7f2062ee0a11c178124cf127fb7d54c804dce97e0233279
-
SSDEEP
1572864:1pwUgUIgIeCSI9JF+8e2eSLYQA//1YCZG0ISKATMQjlh7k:1hC33VR0Qk/yOGjCMwDk
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-