General
-
Target
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466.exe
-
Size
398KB
-
Sample
241206-csnlqs1lcj
-
MD5
7e3e88fad78dff83ea421084315bfd78
-
SHA1
2e185874ff61f0097b34ae66cdc09bbbf1951f62
-
SHA256
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466
-
SHA512
432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f
-
SSDEEP
6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr
Static task
static1
Behavioral task
behavioral1
Sample
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
3.1
69.174.100.131:7000
I1KOVoZcD6Qqbmm9
-
install_file
USB.exe
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Targets
-
-
Target
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466.exe
-
Size
398KB
-
MD5
7e3e88fad78dff83ea421084315bfd78
-
SHA1
2e185874ff61f0097b34ae66cdc09bbbf1951f62
-
SHA256
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466
-
SHA512
432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f
-
SSDEEP
6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr
-
Detect Xworm Payload
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-