General
-
Target
Kling_CompletedVideo.zip
-
Size
52.9MB
-
Sample
241002-yytwlaxgqb
-
MD5
32361c8c9d620b7d499248cf63e09644
-
SHA1
c0d0d9337ab9bedf8a87aee51b17f3173f115b03
-
SHA256
ab779a17f2fb5dcff87c0f55466e46fc31adf6b2b11141703d7cd484fc6a2343
-
SHA512
8e3c19e438662423422a359cf2591ef9f2d5c42097f3188db2bec2feb02d57de24ad3dc73d3e1e998e50cdb2693a26e94cf4c0174a9cc8472860a4daec70731d
-
SSDEEP
786432:tQaraHj6rxPWK/Ax5ZgRB1yUDqiFjSfuBgMYo0kyowSuXKWpb7SM58vFKzqW4fQN:tQamD6rxDggRI0BgVo0NtKW5V58tWmW
Static task
static1
Behavioral task
behavioral1
Sample
Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
Resource
win7-20240903-en
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7276041743:AAHcuQBIgMQxThnw-SMW4PSn0GYAkSjroxA/sendMessage?chat_id=-1002395802128
Targets
-
-
Target
Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
-
Size
53.5MB
-
MD5
3d48cdbd6d323a25303ec7c6e6c31176
-
SHA1
044a8d324faf96eaaca3a8323bcb1eb75ecca1d8
-
SHA256
96ff951df16221de54c394c38869aa77e6e7424669521ce5aaabee379b6f96f1
-
SHA512
b64d6714530d342c7f615261062f8e60a6d472651878de2748edef862f1811d32b919a0252013e1cd8cea45b68fa9aa6f5f6ccf39298a80efa8fdf0829522f61
-
SSDEEP
786432:rnkl+yqXRVMeIrKNdd8T7lEwR0A9z2x4HdIooSaEOUcaLAC1tVCCxQTl8vUOwZgN:I+LXRVCe8TUqHdXoSB5ACt5xQ5wk
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1