General
-
Target
temp2.vbs
-
Size
153KB
-
Sample
240530-wtak2sha33
-
MD5
631e60cc727021350a3aea3b714129cd
-
SHA1
c84572fb7c39eea9f13e27af080da58fcfae5a66
-
SHA256
4782216f166d2c937ea193e284a8630ad44c916ebde04e80ea49aaf1f385e71d
-
SHA512
07cfb832299ee4a75ca33499f4c9075f175d19f7c81cfdbcd2d194c0769bb6d2399468f0746e617a895c0ab91c84b7b23174b71b59f91ad429837373fd01b3c1
-
SSDEEP
1536:jfAfd99CObSq6xcqOdaJK6GunshLW0/5JpI5nceNg0B5bUZlu9gISsRa:7Afd3oJK6k/AcKg0B5cZ
Static task
static1
Behavioral task
behavioral1
Sample
temp2.vbs
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
temp2.vbs
Resource
win7-20240419-en
Malware Config
Extracted
xworm
3.1
maynewxw9402.duckdns.org:9402
5lzENq7am7Igyca8
-
install_file
USB.exe
Targets
-
-
Target
temp2.vbs
-
Size
153KB
-
MD5
631e60cc727021350a3aea3b714129cd
-
SHA1
c84572fb7c39eea9f13e27af080da58fcfae5a66
-
SHA256
4782216f166d2c937ea193e284a8630ad44c916ebde04e80ea49aaf1f385e71d
-
SHA512
07cfb832299ee4a75ca33499f4c9075f175d19f7c81cfdbcd2d194c0769bb6d2399468f0746e617a895c0ab91c84b7b23174b71b59f91ad429837373fd01b3c1
-
SSDEEP
1536:jfAfd99CObSq6xcqOdaJK6GunshLW0/5JpI5nceNg0B5bUZlu9gISsRa:7Afd3oJK6k/AcKg0B5cZ
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-