Overview

overview

10

Static

static

1

Shipping_D...f_.vbs

windows7-x64

8

Shipping_D...f_.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Shipping_Documents.pdf__1.7z.zip

  • Size

    36KB

  • Sample

    250306-rknn4a1lv9

  • MD5

    fabb9c3c6c2b4c504ebfece203556942

  • SHA1

    a7f9dae3e62fed0b49916ab5e4ffd111f8fa7994

  • SHA256

    22b36e1c397813f53c8a4d5e46a1a7547a3be485ba451130c931c3ac2e0b1e5d

  • SHA512

    52705b0e7322958c0acf587dd3a42ab7cc9175979718d5d7775251b4e83e4686ad2edb1eb8255b4d4768b51e2cc5bf4faae4161f390bda80841dc7f234f75c01

  • SSDEEP

    768:LzWW0JvrfGol9V2gJ0uHuSab8wt6dC4wfMCVlJPXPjPMrePcB5:LSdZzGolmiAb/6ddw0OPbkrKcf

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

expressblessingnow001.duckdns.org:3911

Mutex

RGibYsdTDFPkg2QK

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      Shipping_Documents.pdf_.vbs

    • Size

      72KB

    • MD5

      d8e3bf5f66fd94bc6eac4c31a80752c7

    • SHA1

      19b8f112fe35de01170434a90c9080155dfa0736

    • SHA256

      db330e50d5573d582f7874ae62c48052bbf899c89ee27b3a0639a526b0e3232f

    • SHA512

      647ae0f8e7eef2aceec6dc27d8ef0fb64c63712ad02f4fa0b81329b844276ecc0bd2d429960f8c1b4928c806cf1c82b59dd8826a4a558ed2726da645640985d1

    • SSDEEP

      1536:rNx0vFMLSEGgcX4XTA66MrhifWezrLm3kaHV/wSCDCfcP8p:rNx0yfj8fWey3Hcuyo

    Score
    10/10
    discoveryexecutionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks