General
-
Target
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169.exe
-
Size
3.0MB
-
Sample
241030-c98m8svdpe
-
MD5
649673218a19e8fd278c99d1355949f4
-
SHA1
da2b13b98dbb3ba3973388866860cb7cb3d2b59e
-
SHA256
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
-
SHA512
5e6fab9f007e3015cc743f1ac962d77df7c479b4863e88fafc05a3a57896d7f3359afb91b18dcc88883a56c017c4fe279267a300effc37bf71c186fb080a00cd
-
SSDEEP
24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV
Static task
static1
Behavioral task
behavioral1
Sample
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
193.41.226.233:2222
Kmswbx3MNQibZuVT
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026
Targets
-
-
Target
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169.exe
-
Size
3.0MB
-
MD5
649673218a19e8fd278c99d1355949f4
-
SHA1
da2b13b98dbb3ba3973388866860cb7cb3d2b59e
-
SHA256
7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
-
SHA512
5e6fab9f007e3015cc743f1ac962d77df7c479b4863e88fafc05a3a57896d7f3359afb91b18dcc88883a56c017c4fe279267a300effc37bf71c186fb080a00cd
-
SSDEEP
24576:1az71UBrCXaw68FowF0vkf2fkAJzGthOXUKqx3Weeg:szRUDyFMPsAB0OXAV
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Xworm family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates processes with tasklist
-