General
-
Target
VapeClient.exe
-
Size
7.3MB
-
Sample
240212-xzpgtscg52
-
MD5
9e2ffa3af2bf72a7cd5e9a95b249cc83
-
SHA1
5075c4740da04fac24a3c8a5de1d22712f0d221d
-
SHA256
3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581
-
SHA512
deefe184ebdb95d5dc5975d6599798e000c59177e0b8459540d29b7fd1a06af56f0a2ad7758d7ca4baa02d879fea5ca42616b89c1a67f398ad6be486ebc1223c
-
SSDEEP
196608:n88YX3g0lEYwY209wW75pVNOPRoJf7ENtCk:88YHg0l0Y20X75pVqqRET9
Static task
static1
Behavioral task
behavioral1
Sample
VapeClient.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
microsoftsoftware_sv.exe
-
pastebin_url
https://pastebin.com/raw/aj6A2kvb
Targets
-
-
Target
VapeClient.exe
-
Size
7.3MB
-
MD5
9e2ffa3af2bf72a7cd5e9a95b249cc83
-
SHA1
5075c4740da04fac24a3c8a5de1d22712f0d221d
-
SHA256
3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581
-
SHA512
deefe184ebdb95d5dc5975d6599798e000c59177e0b8459540d29b7fd1a06af56f0a2ad7758d7ca4baa02d879fea5ca42616b89c1a67f398ad6be486ebc1223c
-
SSDEEP
196608:n88YX3g0lEYwY209wW75pVNOPRoJf7ENtCk:88YHg0l0Y20X75pVqqRET9
Score10/10-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1