General
-
Target
0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
-
Size
2.1MB
-
Sample
241011-j2fqtatcqb
-
MD5
de2b7ec32d3a5c530e5a1aa6f2b27b16
-
SHA1
83c3c02a1c5746882094939ed4f1ab61954ff8f0
-
SHA256
0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f
-
SHA512
e76d643dc5fad7de78172bafe3b33da231bbce76fb2c46235338e811112f32775dfd20acf770141808ee00c0e9527829933d9ec1ee04c776b774eff80168bee8
-
SSDEEP
24576:S/BARUsXRaTX3P/drZ6p7Ut2Qcbgn5DFIOG+N3mYm8hz8UQn652/BJOD:i2HXRWXdrEDQ0gn5xfG+8H8hz8rdm
Static task
static1
Behavioral task
behavioral1
Sample
0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
Resource
win7-20240903-en
Malware Config
Extracted
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
Extracted
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20
Extracted
xworm
5.0
65.52.240.233:5555
hVgkZkPRZQoZH7T4
-
Install_directory
%AppData%
-
install_file
sys32.exe
-
telegram
https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI
Extracted
gurcu
https://api.telegram.org/bot7375017271:AAF3S5-3qI4b0tLhUfBGhd5L6j0wySL4pLI/sendMessage?chat_id=-4568444843
Targets
-
-
Target
0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f.exe
-
Size
2.1MB
-
MD5
de2b7ec32d3a5c530e5a1aa6f2b27b16
-
SHA1
83c3c02a1c5746882094939ed4f1ab61954ff8f0
-
SHA256
0cf06c833517acebaebf18e5b36edccb4903a112117dbee1a19f9b76c7a7b36f
-
SHA512
e76d643dc5fad7de78172bafe3b33da231bbce76fb2c46235338e811112f32775dfd20acf770141808ee00c0e9527829933d9ec1ee04c776b774eff80168bee8
-
SSDEEP
24576:S/BARUsXRaTX3P/drZ6p7Ut2Qcbgn5DFIOG+N3mYm8hz8UQn652/BJOD:i2HXRWXdrEDQ0gn5xfG+8H8hz8rdm
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1