Overview

overview

10

Static

static

1

upload.vbs

windows7-x64

10

upload.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    upload.vbs

  • Size

    896KB

  • Sample

    240523-t5m96she28

  • MD5

    a227043beb151087c1798b6f9aaabd4c

  • SHA1

    b2c4537386ed7931d9df29719f11f0f019e0f43a

  • SHA256

    b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1

  • SHA512

    1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e

  • SSDEEP

    12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      upload.vbs

    • Size

      896KB

    • MD5

      a227043beb151087c1798b6f9aaabd4c

    • SHA1

      b2c4537386ed7931d9df29719f11f0f019e0f43a

    • SHA256

      b8ac41b4cb337b5d1c12345f1cfbf125efeaafb14f7bdbac85717a358ed2a1d1

    • SHA512

      1031ce3bea154181078799db133f2a8e419f912d548b69bd21572707bd7a3cf2c44cc273b1f582a0edcae73523c2927c210c0917c758b92364d64977b2ca208e

    • SSDEEP

      12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9p:UXh+k+taGKqoJOp

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks