General
-
Target
wininit.bat
-
Size
292KB
-
Sample
240704-yrjr2sydkg
-
MD5
cf1da3f20349f15bfacf7c271d60684c
-
SHA1
ad4a58069d800ca900c5752929aa92d5d87fe3c7
-
SHA256
ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
-
SHA512
8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
SSDEEP
6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW
Static task
static1
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
wininit.bat
-
Size
292KB
-
MD5
cf1da3f20349f15bfacf7c271d60684c
-
SHA1
ad4a58069d800ca900c5752929aa92d5d87fe3c7
-
SHA256
ee6dc82f435a2224bcc30034bb5c5827d4470078f5238bf2f6e5a5023528d24f
-
SHA512
8743be3187c9a080cc8fb6ec7243ff98f3d157c4e884503045bc56b0d042ef9a81a127c92a8f80d00b899f3e92c11f9877bd3bdf6c7eeb863d1bb503830cdccd
-
SSDEEP
6144:OFJjDy7sYeIK8ODi9szVwhTvSPOk07BuYfZ2YIOXi/COBNFfIsqJW:OFZSsV88ERrSP+7EQ20QFwJW
-
Detect Xworm Payload
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry
-