General
-
Target
bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13
-
Size
64.6MB
-
Sample
241007-r7s74ayhrp
-
MD5
7854056968780ef9d932c48f3c404b8d
-
SHA1
51be32f3ba072e907c1d77b3ad0fdaf9150c9631
-
SHA256
bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13
-
SHA512
154c3f5e7dfd9b4faa7e8d160afc9d8e91abd31d9e38c55e445ea978c0df0ce0cd970fcd426dc8e8f0cf5fd11c30c456665b076c2f92d0da2be3e3ed63794a16
-
SSDEEP
1572864:UkTQtD108qdyfZFBanNsnIfnbJYuWiiXS4/6rUXPsDrTSC:UN910xdyfdManIfbJG5D/6rUXPESC
Static task
static1
Malware Config
Extracted
lumma
https://reinforcenh.shop/api
https://stogeneratmns.shop/api
https://fragnantbui.shop/api
https://drawzhotdog.shop/api
https://vozmeatillu.shop/api
https://offensivedzvju.shop/api
https://ghostreedmnu.shop/api
https://gutterydhowi.shop/api
https://reliabledmwqj.shop/api
Extracted
xworm
5.0
lun.servepics.com:25902
gUAMuTh5gjsDB7Ov
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0
Extracted
gurcu
https://api.telegram.org/bot7135459618:AAEwjuHVMZ8NswVnkqN9FunxogXRznBbPD0/sendMessage?chat_id=-1002375745755
Targets
-
-
Target
bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13
-
Size
64.6MB
-
MD5
7854056968780ef9d932c48f3c404b8d
-
SHA1
51be32f3ba072e907c1d77b3ad0fdaf9150c9631
-
SHA256
bcc75a703d829adfb645704ac8e9772cfe320fee82ceedcbf1bebb40182aaa13
-
SHA512
154c3f5e7dfd9b4faa7e8d160afc9d8e91abd31d9e38c55e445ea978c0df0ce0cd970fcd426dc8e8f0cf5fd11c30c456665b076c2f92d0da2be3e3ed63794a16
-
SSDEEP
1572864:UkTQtD108qdyfZFBanNsnIfnbJYuWiiXS4/6rUXPsDrTSC:UN910xdyfdManIfbJG5D/6rUXPESC
-
Detect Xworm Payload
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-