General

  • Target

    03072025_0532_F.186 DEL 25072025_6.vbs.zip

  • Size

    59KB

  • Sample

    250703-f8g1nsvlx2

  • MD5

    11e6e386046aa3461bfe0950787869ad

  • SHA1

    aee7469dd95e49ed9ab240eb65cad0fc30c3193f

  • SHA256

    9d2c73cfa7c33619ef39cf9730018743a64131c2f4df6c364f6eab96e15e71f6

  • SHA512

    f82b5f7c36cb778faaa89617188d45c6007e92f4f5a1b08c6e0d3761db3f09e13f0c008a190ef245618b3d50d34b4958cafed4196e0c166851a78d4428ee0cba

  • SSDEEP

    1536:4bhIboJZx2cpbxRgZ1ERa70LcFeP1hekQNxPAvKj:Uyqx2cx6oC0LcgP1hefxPAg

Malware Config

Extracted

Family

xworm

C2

www.ferrylin.com:2556

Attributes
  • install_file

    USB.exe

Targets

    • Target

      F.186 DEL 25072025_6.vbs

    • Size

      136KB

    • MD5

      246bd115dc7efb015ff481bbdcd8e87a

    • SHA1

      60180717a4e1d8edd1b56ff85afa09f246b50b70

    • SHA256

      46ec10fa2fe3012d14eeab3898662bdac76e088003c53108647181ea225764ab

    • SHA512

      c6c5634238d3bf53aa47eab90b4d4a81e452b65b6119da28439fa6a087743e55f5045acfb7618c68b495b738147c7bbf1d50746bb766e819a05db79dc4d440cf

    • SSDEEP

      3072:FUnXpbwjuDh+IOwsItUAXgAbdTMztbzhJf7GFRI0bBHuJ+uYjGVDCc:KnXpbwjuDh+IOwXtUAXgAbezZHIF8Jvn

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Clears Windows event logs

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

MITRE ATT&CK Enterprise v16

Tasks