Extracted

• • Target

    c56D7_Receipt.vbs

  • Size

    130KB

  • MD5

    878ba89eaad87f86c7ff4e5fee1e1823

  • SHA1

    8f9496d5da92c9a0f64ffe5aa0ee0da259a9da1b

  • SHA256

    30c4d81a0075e27984f768fa73c43240f5b14724a84a5057c15c99114b4aac15

  • SHA512

    2ed93d10566fcd7bc312a321a4551611c08dc1de817cf89c5a46be1d8243b77a075896658dd92d5de9d66d7a5bed92b51d25e0729f06369ba673a12b1a37bc7b

  • SSDEEP

    3072:ZxQCCYVaCCq+c0C49NixM8B20HcO4uuxQCCYVaCCq+c0C49NixM8B20HcO4uA:Z2CCYsfq+cp49oa8B208Mu2CCYsfq+cm

  Score

  10^/10

  guloaderxwormdiscoverydownloaderpersistencerattrojan

  • Detect Xworm Payload

  • Guloader family

    guloader

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2