Overview

overview

10

Static

static

1

awb_post_d...df.vbs

windows7-x64

10

awb_post_d...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    awb_post_dhl_delivery_documents_pdf.vbs

  • Size

    177KB

  • Sample

    250307-tfr7tssycw

  • MD5

    63fa1b58e48acb386a8b650951530771

  • SHA1

    adf30b16e042e3d4cf2c5c570ec0afcf446afac0

  • SHA256

    119a6e21aa53c235fe4a946d74e870b41823d1cf49c39d29a528e1a0ddfd9042

  • SHA512

    8c328b2876d05cb649190578565daa152f145e0dce86b3aae8eca826f09796040fcc856911050e2540a9df92cf923c90cac6848e5326e2040dd415993dcd7107

  • SSDEEP

    384:JffffffffQffffffffQffffffffmh44444444D4c0YAL8ZNGJoNycffffffffQfS:K0Yq/G

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://www.pastery.net/rdakwa/raw/
exe.dropper

https://files.catbox.moe/sakuuo.msu
exe.dropper

https://files.catbox.moe/6sdjc5.msu
exe.dropper

https://www.pastery.net/rdakwa/raw/

Extracted

Family

xworm

Version

5.0

C2

freeetradingzone.duckdns.org:3911

Mutex

LpxI7BBpG4bLELYn

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      awb_post_dhl_delivery_documents_pdf.vbs

    • Size

      177KB

    • MD5

      63fa1b58e48acb386a8b650951530771

    • SHA1

      adf30b16e042e3d4cf2c5c570ec0afcf446afac0

    • SHA256

      119a6e21aa53c235fe4a946d74e870b41823d1cf49c39d29a528e1a0ddfd9042

    • SHA512

      8c328b2876d05cb649190578565daa152f145e0dce86b3aae8eca826f09796040fcc856911050e2540a9df92cf923c90cac6848e5326e2040dd415993dcd7107

    • SSDEEP

      384:JffffffffQffffffffQffffffffmh44444444D4c0YAL8ZNGJoNycffffffffQfS:K0Yq/G

    Score
    10/10
    executionxwormdefense_evasiondiscoverypersistencerattrojan

    • Detect Xworm Payload

    • UAC bypass

      defense_evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

      defense_evasion

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Window

1
T1564.003

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks