General
-
Target
login
-
Size
27KB
-
Sample
250207-zvdwmsylgl
-
MD5
d0a165d56b32ea5ea2e0402fc4b48336
-
SHA1
1deafd5727a8d4d5a0bdcb027e351ea9c9a8a880
-
SHA256
0a0ddd5f09fbe703ab643b11593b2c4964524cd5290aaab5ed4b22602ecdb473
-
SHA512
0a9706ebdb6d3c4531898bf79f91005a777a148bc381a90bcc1893ecc3f5fd39f949819f913d620d7b0a839aeeb4382443ec5e3c361000a8011792c948012130
-
SSDEEP
384:gYm5X477sGGzK+TpQn7M9cyqy/f2f/Yb6WiZDuujffGfMfwepz3syZj5XCqzGX3D:O/+scm2f/Yb6Hhuuj3UWwep7syZ9Cb
Static task
static1
Behavioral task
behavioral1
Sample
login.html
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
login.html
Resource
win10v2004-20250207-en
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
QzIFGn8iOnGjezTy
-
install_file
USB.exe
Targets
-
-
Target
login
-
Size
27KB
-
MD5
d0a165d56b32ea5ea2e0402fc4b48336
-
SHA1
1deafd5727a8d4d5a0bdcb027e351ea9c9a8a880
-
SHA256
0a0ddd5f09fbe703ab643b11593b2c4964524cd5290aaab5ed4b22602ecdb473
-
SHA512
0a9706ebdb6d3c4531898bf79f91005a777a148bc381a90bcc1893ecc3f5fd39f949819f913d620d7b0a839aeeb4382443ec5e3c361000a8011792c948012130
-
SSDEEP
384:gYm5X477sGGzK+TpQn7M9cyqy/f2f/Yb6WiZDuujffGfMfwepz3syZj5XCqzGX3D:O/+scm2f/Yb6Hhuuj3UWwep7syZ9Cb
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload
-
Xworm family
-
Downloads MZ/PE file
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-