General
-
Target
BuffMailv1.4.4.rar
-
Size
27.0MB
-
Sample
250207-qjse8atkfn
-
MD5
6c33ffdb0e46ae5be463f2d2900666e3
-
SHA1
b511f9bd5594c979b87467d745c3a58c2ef397e1
-
SHA256
b77fc2a0a9dc15d6c640955cbc102f2746840a8f18021a599bfa76d9d253f72d
-
SHA512
fa623183e87adbb3b463e513ebdc6bfef9a1fe24c61c960af954cad3ba2ffce3247d64ef0612d541cbb19f6c41643c683631888ba926d79d5a9855e749b418bd
-
SSDEEP
786432:H9Wg6FBwOgzrLGJkAFR4pilO+Z7GbG0tqqhuiGQajcT:YdBwO7OCRHlOu8tLETQac
Static task
static1
Behavioral task
behavioral1
Sample
BuffMailv1.4.4/BuffMail_.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BuffMailv1.4.4/BuffMail_.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral3
Sample
BuffMailv1.4.4/srv.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
BuffMailv1.4.4/srv.dll
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
BuffMailv1.4.4/stk.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
BuffMailv1.4.4/stk.dll
Resource
win10v2004-20250129-en
Malware Config
Extracted
xworm
3.1
daddy.linkpc.net:7000
nBfLrI3THCbr8hBO
-
install_file
USB.exe
Targets
-
-
Target
BuffMailv1.4.4/BuffMail_.exe
-
Size
17.4MB
-
MD5
1786e0965be5615a3d534f0e75740624
-
SHA1
8c2e582e9968f2628f125e2126654ac89eb03051
-
SHA256
1ed7982878b5d80d819d4aaab2b9fc3ef8a78a4fbc45e40476955b6b34d6e353
-
SHA512
c6c7451a98352f82cc090f722eb8d981ccdab33e4124d789a17fc9475f45cd93603dae9a2e76d7fe1b43d78f269245f17c28c44b679952a91d58cb4701924673
-
SSDEEP
393216:rV/8SWg6F1PwO85zGGAkIDMcJ6V9AFlBpWaBUk4pfKlO88wuCfDuHb+:Z9Wg6FBwOgzrLGJkAFR4pilO+Z7Gb
-
Detect Xworm Payload
-
Xworm family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
BuffMailv1.4.4/srv.dll
-
Size
5.3MB
-
MD5
288376007e075bb3c3c26d3ee73e730e
-
SHA1
90d74a9cac49643b7a761fe7aefd4c75dc393591
-
SHA256
1df077f2d01274acbfad03d58851d43c24bab7f496e16d45af84e8bc7f0b4bea
-
SHA512
c4e80f34770651f2dbee11210dc609e76590fb9fc9801a13585c48bdcfd1ab558607701ac91bcf556778cfb697e8d7c75430bd98bfc6013d16cc9a1047ef9340
-
SSDEEP
98304:zHMZjcJ6rKbkVGUJyQFX46B/ehybvkWyR9JcCkgxMTjMoU95vbr/KKNBC/tR:gZe6WwckwukWKFm0vbL
Score1/10 -
-
-
Target
BuffMailv1.4.4/stk.dll
-
Size
4.8MB
-
MD5
84a0562c63f673277fee115a73fc25ee
-
SHA1
295801e535546c4a90b3fb29fe3aa9c34a72a0b0
-
SHA256
41da8ab7da5754c6db9611777d455865b8fe53c575468560eb872d8544b75c56
-
SHA512
7f0cf491b1412bfae7d60a216ee866d866e56d6c3e8bbba67cfbd7364bac6ffd053f918097cbd73e2734d6e4a64ec4172923408f63dc781c5b3c90e9203cc52e
-
SSDEEP
98304:leM6mfgQmiiqsUSry16H74I42WQob8beKnLta2u/thjIn0z2:UekrJ+o89d/njI0z2
Score7/10-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-