General
-
Target
SPOILER_Nextzus_V.8.exe
-
Size
114KB
-
Sample
241029-1y283sskdl
-
MD5
9a960c4436689eca6d2fba6e25378416
-
SHA1
24597aede4f1c4cefb5da2d581771f294eda21d9
-
SHA256
2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707
-
SHA512
4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63
-
SSDEEP
3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La
Static task
static1
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Targets
-
-
Target
SPOILER_Nextzus_V.8.exe
-
Size
114KB
-
MD5
9a960c4436689eca6d2fba6e25378416
-
SHA1
24597aede4f1c4cefb5da2d581771f294eda21d9
-
SHA256
2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707
-
SHA512
4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63
-
SSDEEP
3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La
-
Detect Xworm Payload
-
Xworm family
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-