General
-
Target
49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286
-
Size
376KB
-
Sample
241211-lafb3s1lcl
-
MD5
674698ce43b5028c156c8bd9a908dc09
-
SHA1
5b0517a6f78828b0b139bd6ad8870df3217c9d63
-
SHA256
49b452e7b1845695e26941c2814ffd7d605291d65e7234ff4a846128835a3286
-
SHA512
24afe9514cd18ce8cb17a174f1e6a5f31aa82631a4f844ce7b2d08ffab4fcfb9cd8e757584717f003ad0e23f8d1dd9769e42996f198668fbe7582e2a660aa451
-
SSDEEP
6144:CmR7q+dL+PNCT/OPmt8/ixYyuoKPadiiA3DJeHcsNjxbbjcqmllTFQurRI9l:CmR7RdL+PmKhyU7sHcsxxbbopDmm29l
Static task
static1
Behavioral task
behavioral1
Sample
Your file name without extension goes here.exe
Resource
win7-20241023-en
Malware Config
Extracted
xworm
5.0
69.174.100.131:7000
MruG8tu9BvvVUsIA
-
install_file
USB.exe
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Targets
-
-
Target
Your file name without extension goes here.exe
-
Size
378KB
-
MD5
fbf8e3dc8cbcf036474e0a43a27aa8bd
-
SHA1
ae8404bdaa3c6a8e115f208f4a63d971061045f9
-
SHA256
8d36854957eabf3fb5bc2f0021c00390ee3be13c6f2c1136e5235ef084af966e
-
SHA512
4ae7440769fa33110d60a9a1194a5b4d8d6b5b5bd0f0434e2d669c685113ee4c2791791b529ab626d47b954378459d14dbccb55b74df1dbdfdf623d00cfb1caa
-
SSDEEP
6144:XHmBiyDOQgsDHYlas0uVtudFt/St2QM8oEQk9rqOVKaohD+6WpR2JVmsS:WBiy6QgGeN0G+t6kAX9rKJ66gRH
-
Asyncrat family
-
Detect Xworm Payload
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4