General
-
Target
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14.vbs
-
Size
896KB
-
Sample
240524-p8slvaeb3z
-
MD5
5166cecef029d7b9392a1bc345639747
-
SHA1
abed1e58d8b9633ccab51ddd5c18994cc8183bc8
-
SHA256
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14
-
SHA512
a07a6c9978f1c0f143413073440763d8f144aa645568b7a82811d398fa089427135238beca0a6d410ce11720c4b12bd594284644a5a7b44c0601ef5a2a5b1488
-
SSDEEP
12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9dU:UXh+k+taGKqoJOdU
Static task
static1
Behavioral task
behavioral1
Sample
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14.vbs
Resource
win7-20240508-en
Malware Config
Extracted
xworm
3.1
xgmn934.duckdns.org:8896
2utLZrxcByvppTdF
-
install_file
USB.exe
Targets
-
-
Target
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14.vbs
-
Size
896KB
-
MD5
5166cecef029d7b9392a1bc345639747
-
SHA1
abed1e58d8b9633ccab51ddd5c18994cc8183bc8
-
SHA256
b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14
-
SHA512
a07a6c9978f1c0f143413073440763d8f144aa645568b7a82811d398fa089427135238beca0a6d410ce11720c4b12bd594284644a5a7b44c0601ef5a2a5b1488
-
SSDEEP
12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9dU:UXh+k+taGKqoJOdU
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-