Overview

overview

10

Static

static

1

1.vbs

windows7-x64

6

1.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1.vbs

  • Size

    106KB

  • Sample

    250302-dm3n5sswdv

  • MD5

    0a499888377f40a43d7307bafa8cbd30

  • SHA1

    82123a74391172f0b0d823b427b104661d0e6a33

  • SHA256

    6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6

  • SHA512

    dabcfa799a990d0ca8cede290e75bf76133a0c9cb157e2aa614145b4cc6bda7319b6e33c9d4f44fc7f97ae6e01aa30a123c6ca7ebb8bfc04da89d6dc14cd4052

  • SSDEEP

    3072:4qBpaqQCcV4IptJpeCIxebt/uuqBPc+4wd4/w2ElZoaf:PpDyVptJX/hlQt4wdyalZoC

Score
10/10
xwormexecutionrattrojan

Malware Config

Targets

    • Target

      1.vbs

    • Size

      106KB

    • MD5

      0a499888377f40a43d7307bafa8cbd30

    • SHA1

      82123a74391172f0b0d823b427b104661d0e6a33

    • SHA256

      6e1bd325025c71cf2c20c9579dd80504b327794960f5904a308ce74936a4bde6

    • SHA512

      dabcfa799a990d0ca8cede290e75bf76133a0c9cb157e2aa614145b4cc6bda7319b6e33c9d4f44fc7f97ae6e01aa30a123c6ca7ebb8bfc04da89d6dc14cd4052

    • SSDEEP

      3072:4qBpaqQCcV4IptJpeCIxebt/uuqBPc+4wd4/w2ElZoaf:PpDyVptJX/hlQt4wdyalZoC

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks