General
-
Target
PolyBuilds_1v1.exe
-
Size
6KB
-
Sample
241230-qrhkzswldq
-
MD5
d33f9bf161de3e5d13b151c761e37a8d
-
SHA1
3a9a4dabadccc73511825bec341eeb2de3fd82ce
-
SHA256
f9e6d4d0c0c325f5ac3cd6617b3c1bd4ac37c7de6acc35bfb60173095bd540fb
-
SHA512
bb20c073b3735a4e3780ca6ada4005db25b79061c6cf4aacbe4656f626ba62373b878bd09965a9bbed887780fcf91e27b57bab6cb44cd0306009528cb732918b
-
SSDEEP
96:UoQkaCRyzH7CRZ8lk8if/91UV35l1Rf9BzNt:O9zbCT8on9OV35lDf9D
Static task
static1
Behavioral task
behavioral1
Sample
PolyBuilds_1v1.exe
Resource
win7-20240708-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
RtkAudUService64.exe
-
pastebin_url
https://pastebin.com/raw/6ZBHT1SN
Targets
-
-
Target
PolyBuilds_1v1.exe
-
Size
6KB
-
MD5
d33f9bf161de3e5d13b151c761e37a8d
-
SHA1
3a9a4dabadccc73511825bec341eeb2de3fd82ce
-
SHA256
f9e6d4d0c0c325f5ac3cd6617b3c1bd4ac37c7de6acc35bfb60173095bd540fb
-
SHA512
bb20c073b3735a4e3780ca6ada4005db25b79061c6cf4aacbe4656f626ba62373b878bd09965a9bbed887780fcf91e27b57bab6cb44cd0306009528cb732918b
-
SSDEEP
96:UoQkaCRyzH7CRZ8lk8if/91UV35l1Rf9BzNt:O9zbCT8on9OV35lDf9D
-
Detect Xworm Payload
-
Xworm family
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-