General
-
Target
b74412166bf983a8e0d6ec4efe375eaaa1adb0404749dd30754c018ff623e5fb.vbs
-
Size
60KB
-
Sample
240502-cfs1padh6z
-
MD5
4e4eafea09057c5b1786f452756aee35
-
SHA1
a1220c6a137f5ecdcb71967ff682159d6498aaa4
-
SHA256
b74412166bf983a8e0d6ec4efe375eaaa1adb0404749dd30754c018ff623e5fb
-
SHA512
055974b4870ed2e15afad3533c1d9a0396b0293b8d26648c38e0fb5ce5376df92b051547a554303476d1d627cba63cd905bb01d200b09bd274103f2ce7f114b8
-
SSDEEP
384:FZAaML0E+2+2kEnpMQ9ZIRpuSk76jM1L7Kc0ZCEXJg:7xQViQ9ZIRgSk7q9ZxZg
Static task
static1
Behavioral task
behavioral1
Sample
b74412166bf983a8e0d6ec4efe375eaaa1adb0404749dd30754c018ff623e5fb.vbs
Resource
win7-20240221-en
Malware Config
Extracted
xworm
3.1
aprilxrwonew8450.duckdns.org:8450
0VZWHbNr1OapRPc5
-
install_file
USB.exe
Targets
-
-
Target
b74412166bf983a8e0d6ec4efe375eaaa1adb0404749dd30754c018ff623e5fb.vbs
-
Size
60KB
-
MD5
4e4eafea09057c5b1786f452756aee35
-
SHA1
a1220c6a137f5ecdcb71967ff682159d6498aaa4
-
SHA256
b74412166bf983a8e0d6ec4efe375eaaa1adb0404749dd30754c018ff623e5fb
-
SHA512
055974b4870ed2e15afad3533c1d9a0396b0293b8d26648c38e0fb5ce5376df92b051547a554303476d1d627cba63cd905bb01d200b09bd274103f2ce7f114b8
-
SSDEEP
384:FZAaML0E+2+2kEnpMQ9ZIRpuSk76jM1L7Kc0ZCEXJg:7xQViQ9ZIRgSk7q9ZxZg
-
Detect Xworm Payload
-
Detect ZGRat V1
-
Detects Windows executables referencing non-Windows User-Agents
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-