Overview

overview

10

Static

static

1

Loader.bat

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Loader.bat

  • Size

    289KB

  • Sample

    240426-wneykshb49

  • MD5

    01e9e8e41830ec643aa6572d0b540312

  • SHA1

    69d15284072cb09b9f37d2127a459e6e3598efae

  • SHA256

    a22dc7b030ee3b740294edfb8c3692df7732bbef2159c663083f7d5bed38594f

  • SHA512

    a87f2c0376276dc762db1e94f6a7911592c343821fb7f04ab36c5762f56f4d3d2285e07558e0dfe7797090fdb34f8ffc1b7a1b6e6983abd1521fe61bd622957e

  • SSDEEP

    6144:pv47BFciu2APidrkIjjR7jUaKyWvRlkI0tqia7fIi2Js/Lke0g:pvkl1djaaPWJIurvg4

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:36797

allows-bass.gl.at.ply.gg:36797
Attributes
  • Install_directory

    %Temp%

  • install_file

    client.exe

Targets

    • Target

      Loader.bat

    • Size

      289KB

    • MD5

      01e9e8e41830ec643aa6572d0b540312

    • SHA1

      69d15284072cb09b9f37d2127a459e6e3598efae

    • SHA256

      a22dc7b030ee3b740294edfb8c3692df7732bbef2159c663083f7d5bed38594f

    • SHA512

      a87f2c0376276dc762db1e94f6a7911592c343821fb7f04ab36c5762f56f4d3d2285e07558e0dfe7797090fdb34f8ffc1b7a1b6e6983abd1521fe61bd622957e

    • SSDEEP

      6144:pv47BFciu2APidrkIjjR7jUaKyWvRlkI0tqia7fIi2Js/Lke0g:pvkl1djaaPWJIurvg4

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks