General
-
Target
4ea74d638cf40fe1f40e6cdfe564cc55e9d2546ef856ce261a1636fc83d02a32.zip
-
Size
3KB
-
Sample
240403-bpenzsbf48
-
MD5
d03bfc8079284f50346ade38cf5cc09b
-
SHA1
7a75359a165e5325a80467a1debf273f47a97ec9
-
SHA256
4ea74d638cf40fe1f40e6cdfe564cc55e9d2546ef856ce261a1636fc83d02a32
-
SHA512
2752ec262e3f021414c4a51278a9939b13b7e621834fba9cfaacbda0200b1a8b7dc54669892a05cc15d6fb39e9a24081683753a1eb02daebabf6f348267cd577
Static task
static1
Behavioral task
behavioral1
Sample
R9283762154.wsf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
R9283762154.wsf
Resource
win10v2004-20231215-en
Malware Config
Extracted
xworm
3.1
marxrwonew9090.duckdns.org:9090
jAGA4ZotP9f5mS9c
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
R9283762154.wsf
-
Size
4KB
-
MD5
8e047f6425b7cea3bcbaa0f78f5f7e14
-
SHA1
815c48877684459d0ef854e868bdd6fcb3e79274
-
SHA256
d8aea7be5efe36eb90538c5f54a02f966e95bc6475c836d94795ae67f7ff15c7
-
SHA512
7b474beab4decea2bf793899d736e5bd4bbe07be42d6a5c55a0c7db1a7f51ab62498484ab308b3e847b973559e3b87b4e4c4182724c627cfc5889358501032ce
-
SSDEEP
48:WTgpFb0AdhwfG6p+IhWJDUTUg5FaAuaaJZGZUoUuUdO9Q/KjBo6RBNamMB9Ug8h8:KMh/76oMG2am4Twj+nxYD8fAc
Score10/10-
Detect Xworm Payload
-
Detects Windows executables referencing non-Windows User-Agents
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-