General
-
Target
ShibaLoader.bat
-
Size
48KB
-
Sample
250201-e8fbeaslav
-
MD5
cf03d51ea7c92f39c049a8bac53e600b
-
SHA1
bca665f956cc89dbca11c6f0123a6a3c09862369
-
SHA256
f380251e8bbf78c8dfb3e9a42061b2c33fafb4ac521d24644d4489cb6a39e77d
-
SHA512
430c07e508a15506c4a7ac1934314a793c96084bdc60c8bba5283ef402097212f7407207a5b071aade0d62f3b2fd44d622fae8d76fa1f8507b8106d702ce75f3
-
SSDEEP
768:dGF+McQHCeIB8kNaScUpGsn47DhizLVN7FSi2Vw7vDeBdE7bcjXIJD6na:q9c2CPB8OZc3ss8ThP7vis7wj4JDv
Static task
static1
Malware Config
Extracted
xworm
5.0
127.0.0.1:25811
8.tcp.eu.ngrok.io:25811
S18UdfokIrz0cmvm
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Targets
-
-
Target
ShibaLoader.bat
-
Size
48KB
-
MD5
cf03d51ea7c92f39c049a8bac53e600b
-
SHA1
bca665f956cc89dbca11c6f0123a6a3c09862369
-
SHA256
f380251e8bbf78c8dfb3e9a42061b2c33fafb4ac521d24644d4489cb6a39e77d
-
SHA512
430c07e508a15506c4a7ac1934314a793c96084bdc60c8bba5283ef402097212f7407207a5b071aade0d62f3b2fd44d622fae8d76fa1f8507b8106d702ce75f3
-
SSDEEP
768:dGF+McQHCeIB8kNaScUpGsn47DhizLVN7FSi2Vw7vDeBdE7bcjXIJD6na:q9c2CPB8OZc3ss8ThP7vis7wj4JDv
-
Detect Xworm Payload
-
Xworm family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1