General
-
Target
file.exe
-
Size
1.8MB
-
Sample
241212-s62zaa1kfk
-
MD5
58f824a8f6a71da8e9a1acc97fc26d52
-
SHA1
b0e199e6f85626edebbecd13609a011cf953df69
-
SHA256
5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
-
SHA512
7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461
-
SSDEEP
49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:8080
101.99.92.189:8080
d5gQ6Zf7Tzih1Pi1
-
install_file
USB.exe
Extracted
invictastealer
https://discord.com/api/webhooks/1284928312644210758/NMr-jAIuHGcipUibd7yBiXxOZi0wJo9DYokyl6ErP_A2ww1OULjv48d2__GYb89K8I_O
Targets
-
-
Target
file.exe
-
Size
1.8MB
-
MD5
58f824a8f6a71da8e9a1acc97fc26d52
-
SHA1
b0e199e6f85626edebbecd13609a011cf953df69
-
SHA256
5e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
-
SHA512
7d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461
-
SSDEEP
49152:OA12qngJy5Eptzh8wg9fmH5pKKMmDiuV:OHJyEptzh8n05QHwV
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Invictastealer family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1