General

  • Target

    temp2.vbs

  • Size

    153KB

  • Sample

    240530-wtak2sha33

  • MD5

    631e60cc727021350a3aea3b714129cd

  • SHA1

    c84572fb7c39eea9f13e27af080da58fcfae5a66

  • SHA256

    4782216f166d2c937ea193e284a8630ad44c916ebde04e80ea49aaf1f385e71d

  • SHA512

    07cfb832299ee4a75ca33499f4c9075f175d19f7c81cfdbcd2d194c0769bb6d2399468f0746e617a895c0ab91c84b7b23174b71b59f91ad429837373fd01b3c1

  • SSDEEP

    1536:jfAfd99CObSq6xcqOdaJK6GunshLW0/5JpI5nceNg0B5bUZlu9gISsRa:7Afd3oJK6k/AcKg0B5cZ

Malware Config

Extracted

Family

xworm

Version

3.1

C2

maynewxw9402.duckdns.org:9402

Mutex

5lzENq7am7Igyca8

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      temp2.vbs

    • Size

      153KB

    • MD5

      631e60cc727021350a3aea3b714129cd

    • SHA1

      c84572fb7c39eea9f13e27af080da58fcfae5a66

    • SHA256

      4782216f166d2c937ea193e284a8630ad44c916ebde04e80ea49aaf1f385e71d

    • SHA512

      07cfb832299ee4a75ca33499f4c9075f175d19f7c81cfdbcd2d194c0769bb6d2399468f0746e617a895c0ab91c84b7b23174b71b59f91ad429837373fd01b3c1

    • SSDEEP

      1536:jfAfd99CObSq6xcqOdaJK6GunshLW0/5JpI5nceNg0B5bUZlu9gISsRa:7Afd3oJK6k/AcKg0B5cZ

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks