General
-
Target
receipt.vbs
-
Size
566B
-
Sample
240224-kpvvmsfg3w
-
MD5
686860d977e6310d41860c16a97f2d4a
-
SHA1
faa79b6a4577760a3bfcdd42ee07bba6985cbacb
-
SHA256
00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c
-
SHA512
c51f34fc6a96bcb062d6da319b91419dead953055bbb8227ac7942f4525b8a7d349d3422040e21bd0ca3e2097838c5645cd25fe6ea66a353bf9fb80ad55129f3
Static task
static1
Behavioral task
behavioral1
Sample
receipt.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
receipt.vbs
Resource
win10v2004-20240221-en
Malware Config
Extracted
xworm
3.1
xwv5group7001.duckdns.org:7001
mrkh245537gVoEKF
-
install_file
USB.exe
Targets
-
-
Target
receipt.vbs
-
Size
566B
-
MD5
686860d977e6310d41860c16a97f2d4a
-
SHA1
faa79b6a4577760a3bfcdd42ee07bba6985cbacb
-
SHA256
00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c
-
SHA512
c51f34fc6a96bcb062d6da319b91419dead953055bbb8227ac7942f4525b8a7d349d3422040e21bd0ca3e2097838c5645cd25fe6ea66a353bf9fb80ad55129f3
Score10/10-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-