General
-
Target
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
-
Size
748KB
-
Sample
240629-b7cbksyapg
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
Static task
static1
Behavioral task
behavioral1
Sample
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
Resource
win7-20240419-en
Malware Config
Extracted
xworm
head-experimental.gl.at.ply.gg:46178
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Targets
-
-
Target
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
-
Size
748KB
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
-
Detect Xworm Payload
-
Quasar payload
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-