General
-
Target
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
-
Size
199KB
-
Sample
241121-f3nw2aydqa
-
MD5
9feff1a23db299a128f16bc6091df793
-
SHA1
2041542fb6ddc259c2888d587f75a06947d6c0dc
-
SHA256
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9
-
SHA512
6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2
-
SSDEEP
3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W
Static task
static1
Behavioral task
behavioral1
Sample
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
fYudY1578@@@@@@
Extracted
xworm
5.0
moneyluckwork.ddns.net:7000
moneyluck.duckdns.org:7000
HLfH6HTja99GuzBA
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Extracted
gurcu
https://api.telegram.org/bot6063212727:AAGxI15ihXd3ydfdlrCIMNDRzM08Ew5M1gY/sendMessage?chat_id=1188038887
Targets
-
-
Target
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9.js
-
Size
199KB
-
MD5
9feff1a23db299a128f16bc6091df793
-
SHA1
2041542fb6ddc259c2888d587f75a06947d6c0dc
-
SHA256
67c03094daa4c6180373eb864cb86f6ae156bc0481115d826917dd950f8e99d9
-
SHA512
6de1016f37d3df9d6b428b19076ea34fe2e9db0bbe09aa9bbaa637237b8130b47fd119bb39274ec618b3e4238ccbf53a4e7a562e2c9c714b73c6392a6a1102c2
-
SSDEEP
3072:AW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+3WXt+NWXt+NWXt+NWXt+NWXt+NWXC:W
-
Detect Xworm Payload
-
Gurcu family
-
Xworm family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1File Deletion
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1