General
-
Target
x4Joexexe.exe
-
Size
8.3MB
-
Sample
240704-c2gjsazejn
-
MD5
380ebda713b2e097ecebd5dc2a76bb52
-
SHA1
c4d558f574e8f6729018b69c60533b39dfd18e76
-
SHA256
3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211
-
SHA512
fc0d255ab7468139793fbc39e64e4811863f6fdc3c736086b645c484a20514f2c28b1225438dc6995ab033bec4791c42cc264db80994bdd9ee057394dc2234cc
-
SSDEEP
196608:c1+tQqVENtzdZ/HtNt4Z/OgVQa8z9fnE:cqqNtz7ft4Z/XV7kVE
Static task
static1
Behavioral task
behavioral1
Sample
x4Joexexe.exe
Resource
win7-20240508-en
Malware Config
Extracted
asyncrat
1.0.7
Mr.Joex
seems-radio.gl.at.ply.gg:2519
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Winhlp32.exe
-
install_folder
%Temp%
Extracted
xworm
3.1
seems-radio.gl.at.ply.gg:2519
-
Install_directory
%Temp%
-
install_file
USB.exe
Targets
-
-
Target
x4Joexexe.exe
-
Size
8.3MB
-
MD5
380ebda713b2e097ecebd5dc2a76bb52
-
SHA1
c4d558f574e8f6729018b69c60533b39dfd18e76
-
SHA256
3c2f5b524cb47ae11c54e65b48a8ae2898e88c737d8229b28513f0c15b940211
-
SHA512
fc0d255ab7468139793fbc39e64e4811863f6fdc3c736086b645c484a20514f2c28b1225438dc6995ab033bec4791c42cc264db80994bdd9ee057394dc2234cc
-
SSDEEP
196608:c1+tQqVENtzdZ/HtNt4Z/OgVQa8z9fnE:cqqNtz7ft4Z/XV7kVE
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-