General
-
Target
Custom Browser.cmd
-
Size
292KB
-
Sample
240704-vz54gazfjk
-
MD5
fd8aea3cd998330750841e3ecdac4e19
-
SHA1
c395986291831a1bcbdee268bb52dc8351e2d071
-
SHA256
1bc1a8f37e99916432c45d0793edb90034223cd77004eb182c23f8a3328fc2f3
-
SHA512
17c00003e52d486b58f1d0fc730bd132b799715169cd2360eeea74a2d92d98fc4c5b8cb00fe29a6c94d2a2401cfcc895a9ec1072eb1f256a6201de33c57644b2
-
SSDEEP
6144:OTJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OTZSsV88ERrSP+7EQ20QFwJW
Static task
static1
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Custom Browser.cmd
-
Size
292KB
-
MD5
fd8aea3cd998330750841e3ecdac4e19
-
SHA1
c395986291831a1bcbdee268bb52dc8351e2d071
-
SHA256
1bc1a8f37e99916432c45d0793edb90034223cd77004eb182c23f8a3328fc2f3
-
SHA512
17c00003e52d486b58f1d0fc730bd132b799715169cd2360eeea74a2d92d98fc4c5b8cb00fe29a6c94d2a2401cfcc895a9ec1072eb1f256a6201de33c57644b2
-
SSDEEP
6144:OTJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OTZSsV88ERrSP+7EQ20QFwJW
-
Detect Xworm Payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-