General

  • Target

    RbxPredictor.bat

  • Size

    755B

  • Sample

    240401-243mgaac29

  • MD5

    8d11409df3f91dd8940bc041203be830

  • SHA1

    db0ccedde3720939b4cc0e4fd60c0c010648e61b

  • SHA256

    63cc8352adad4e4039864b5fce5dd2a8d13a97076a14e67c936dcce81a985317

  • SHA512

    b0bef88bfd19669dedaaf56b23f9ddefe02130c2d695dfcbec8ecaa542ccde9674d860ba2f1039305807390f4f1c1389fce581c74c5d439be751be7ce1935d68

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/zenyll/l/main/i.exe

Extracted

Family

xworm

C2

193.222.96.30:6969

Attributes
  • Install_directory

    %AppData%

  • install_file

    Winhealth.exe

  • telegram

    https://api.telegram.org/bot6703930852:AAHkGtAzjTv18cTE6yjZ0UbhefLu4Fjl9Gc

Targets

    • Target

      RbxPredictor.bat

    • Size

      755B

    • MD5

      8d11409df3f91dd8940bc041203be830

    • SHA1

      db0ccedde3720939b4cc0e4fd60c0c010648e61b

    • SHA256

      63cc8352adad4e4039864b5fce5dd2a8d13a97076a14e67c936dcce81a985317

    • SHA512

      b0bef88bfd19669dedaaf56b23f9ddefe02130c2d695dfcbec8ecaa542ccde9674d860ba2f1039305807390f4f1c1389fce581c74c5d439be751be7ce1935d68

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks