General
-
Target
dabc8d69b304a27576205cc1054f7ea71ba89cc2ac9026f9863829c7622ba5b3.zip
-
Size
387KB
-
Sample
241206-dxxkwaxrdt
-
MD5
a78808c70ac319e7e5be5000e2c62f1f
-
SHA1
38a90bf6b4335859bf242bb589f00885a104a201
-
SHA256
dabc8d69b304a27576205cc1054f7ea71ba89cc2ac9026f9863829c7622ba5b3
-
SHA512
43181a2d0f34aa1c37e7f797383325c10ae72cf5a47563d9bf9e72d750c20b6d25cef46087ec2db8dc67073cfc58d37049efcd988fb5e7e2b765275e2ffe26f7
-
SSDEEP
12288:tv9V9vuecXR6YQs/SnyuMTpzk8G5Acuvu:7Gej7tjokh5Acuvu
Static task
static1
Behavioral task
behavioral1
Sample
BQ_PO#385995.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
3.1
69.174.100.131:7000
I1KOVoZcD6Qqbmm9
-
install_file
USB.exe
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Targets
-
-
Target
BQ_PO#385995.exe
-
Size
398KB
-
MD5
7e3e88fad78dff83ea421084315bfd78
-
SHA1
2e185874ff61f0097b34ae66cdc09bbbf1951f62
-
SHA256
26c434592adaffa102b1cc61983fd9355dfa4fe0e06ad3acb50732892f67d466
-
SHA512
432da571335f6eb1b827eceb1bf0b0cc62b2a1a7734fce3374620769487e908916a39b0e4c94ef6e764f65f3ce7066040055e52d14a7b84bb1e1650ec355460f
-
SSDEEP
6144:OzzpHNxvSI3xlkVxOwDWcvPRavLhOPxersLWd3JyQdETiOhhe3DU705AN8u1tdQM:INxvSec3RMY+sLSZyyETvzck05AGuvr
-
Detect Xworm Payload
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2