General

  • Target

    FACELECTRONICASERVICIOSNo00000023847829.vbs

  • Size

    224KB

  • Sample

    250127-zprwbawjer

  • MD5

    d5bfaee20cb41b21aa1c0b585492a182

  • SHA1

    b9d63b379e84ddad697f22106f3ce1e473364ca9

  • SHA256

    ba826234ceb14141d54951504e76e88739eb7e76025a37f4890e8b4d5ac04242

  • SHA512

    44a3915878cc43b13bb8fbe533cf14ccfdf9c230c1c63d2a2c4b761aceff9e5f26b5d6eebdc1508fe6c067d2dc44b88ef1886f8162c0e9016a7ac5996296316c

  • SSDEEP

    3072:FLbVmI3b0mgfmWu+me9VOv5iG5sVhQ30Wk+70wgA11:FLbVJe9VOvp

Malware Config

Extracted

Family

xworm

Version

5.0

C2

31.13.224.246:5028

Mutex

fvEl2mhoY8EbFYQE

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      FACELECTRONICASERVICIOSNo00000023847829.vbs

    • Size

      224KB

    • MD5

      d5bfaee20cb41b21aa1c0b585492a182

    • SHA1

      b9d63b379e84ddad697f22106f3ce1e473364ca9

    • SHA256

      ba826234ceb14141d54951504e76e88739eb7e76025a37f4890e8b4d5ac04242

    • SHA512

      44a3915878cc43b13bb8fbe533cf14ccfdf9c230c1c63d2a2c4b761aceff9e5f26b5d6eebdc1508fe6c067d2dc44b88ef1886f8162c0e9016a7ac5996296316c

    • SSDEEP

      3072:FLbVmI3b0mgfmWu+me9VOv5iG5sVhQ30Wk+70wgA11:FLbVJe9VOvp

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks