General
-
Target
Wave-Setup.rar
-
Size
167.7MB
-
Sample
241224-mn2mxavqdp
-
MD5
de7e49e9bcdd16b5277e1e3530809190
-
SHA1
8141f3a016c06d77928aa71c6b43c85a69168fce
-
SHA256
f6a128d68369bc3168bb3a62ca2ee3d76358451c19ef1856f3e7f3f08be49ae1
-
SHA512
3bcd32324865ef5e483b9ab086a80992647834006559410aa9d240065bacb2b820bdb1a404581201bafca6f814a5427252e646074f2d646c0a2cf213a947e0ef
-
SSDEEP
3145728:R3/uBX3vh5enGs17YW8mxrzY1fFSMzroxK8DGjnYnkNaaJ7uj:Ic3xPQroxKL6kNa0k
Static task
static1
Malware Config
Extracted
xworm
performance-fate.gl.at.ply.gg:42662
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot7651370384:AAG232SHNI0DUqNg_k8ER0yNF115YV4vH08/sendMessage?chat_id=6338341120
Extracted
gurcu
https://api.telegram.org/bot7651370384:AAG232SHNI0DUqNg_k8ER0yNF115YV4vH08/sendMessage?chat_id=6338341120
Targets
-
-
Target
Wave-Setup.rar
-
Size
167.7MB
-
MD5
de7e49e9bcdd16b5277e1e3530809190
-
SHA1
8141f3a016c06d77928aa71c6b43c85a69168fce
-
SHA256
f6a128d68369bc3168bb3a62ca2ee3d76358451c19ef1856f3e7f3f08be49ae1
-
SHA512
3bcd32324865ef5e483b9ab086a80992647834006559410aa9d240065bacb2b820bdb1a404581201bafca6f814a5427252e646074f2d646c0a2cf213a947e0ef
-
SSDEEP
3145728:R3/uBX3vh5enGs17YW8mxrzY1fFSMzroxK8DGjnYnkNaaJ7uj:Ic3xPQroxKL6kNa0k
-
Detect Xworm Payload
-
Gurcu family
-
Xworm family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-