General
-
Target
49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286
-
Size
376KB
-
Sample
241211-k6gdks1jgk
-
MD5
674698ce43b5028c156c8bd9a908dc09
-
SHA1
5b0517a6f78828b0b139bd6ad8870df3217c9d63
-
SHA256
49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286
-
SHA512
24afe9514cd18ce8cb17a174f1e6a5f31aa82631a4f844ce7b2d08ffab4fcfb9cd8e757584717f003ad0e23f8d1dd9769e42996f198668fbe7582e2a660aa451
-
SSDEEP
6144:CmR7q+dL+PNCT/OPmt8/ixYyuoKPadiiA3DJeHcsNjxbbjcqmllTFQurRI9l:CmR7RdL+PmKhyU7sHcsxxbbopDmm29l
Static task
static1
Behavioral task
behavioral1
Sample
Your file name without extension goes here.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
69.174.100.131:7000
MruG8tu9BvvVUsIA
-
install_file
USB.exe
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Targets
-
-
Target
Your file name without extension goes here.exe
-
Size
378KB
-
MD5
fbf8e3dc8cbcf036474e0a43a27aa8bd
-
SHA1
ae8404bdaa3c6a8e115f208f4a63d971061045f9
-
SHA256
8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e
-
SHA512
4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa
-
SSDEEP
6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH
-
Asyncrat family
-
Detect Xworm Payload
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2