Overview

overview

10

Static

static

1

Paymentxx212093.vbs

windows7-x64

8

Paymentxx212093.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Paymentxx212093.vbs

  • Size

    150KB

  • Sample

    240608-splkzacg9w

  • MD5

    4986a0bfa6ae968632439e36e76bba38

  • SHA1

    e63b5c00a3dc1211252836437b87817a8ab270fb

  • SHA256

    27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9

  • SHA512

    346c1e13857bda390277152cb0bee0874f61acc06c34f666e26e7450a4d3f88aaab75a345a25bcaf9ca522e51e0a4ed774545f6ae625a803dabe8d7bf7604f09

  • SSDEEP

    1536:jrUd99CObi/SXcfGdaJK6Uo6phGW0/5JJd0Pc1Ug0BjbUZlu9gISsRz:vUdqRJK6l/oc6g0Bjcc

Score
10/10
xwormexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

june9402xw.duckdns.org:9402

Mutex

TAtfGa9f0WCjVzn6

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Paymentxx212093.vbs

    • Size

      150KB

    • MD5

      4986a0bfa6ae968632439e36e76bba38

    • SHA1

      e63b5c00a3dc1211252836437b87817a8ab270fb

    • SHA256

      27133b9541228c135784f7c6c3bb9425975d7e7880ae278fea040b0ffcb8eee9

    • SHA512

      346c1e13857bda390277152cb0bee0874f61acc06c34f666e26e7450a4d3f88aaab75a345a25bcaf9ca522e51e0a4ed774545f6ae625a803dabe8d7bf7604f09

    • SSDEEP

      1536:jrUd99CObi/SXcfGdaJK6Uo6phGW0/5JJd0Pc1Ug0BjbUZlu9gISsRz:vUdqRJK6l/oc6g0Bjcc

    Score
    10/10
    executionxwormpersistenceratspywarestealertrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks