Overview

overview

10

Static

static

1

9c1a4e3a1c...4e.bat

windows7-x64

8

9c1a4e3a1c...4e.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e.bat

  • Size

    152KB

  • Sample

    240514-m8f7psda5s

  • MD5

    0b426e8571f8d3e437b7a42e9b8fd808

  • SHA1

    986edba4c39be9edb552284dac555e2e95f68a4a

  • SHA256

    9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e

  • SHA512

    e2efb8ba96b4c11b6167f085d5545e7e4971850e3c57f76957b8a0b0e1896537d935d123de93c1ebfd3efab34139e9bf902911ba54f20ddffad21edeeb16b021

  • SSDEEP

    3072:TXHtlYzFn8xKlZqwe64MpN9Q2cLNt0hcjhK7ZmVG/:rUB8gQMpvQ2Er0aG/

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

94.156.8.167:2020

Mutex

8sPZSP21r8KwS1LM

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e.bat

    • Size

      152KB

    • MD5

      0b426e8571f8d3e437b7a42e9b8fd808

    • SHA1

      986edba4c39be9edb552284dac555e2e95f68a4a

    • SHA256

      9c1a4e3a1c90d013a9465ab585ad7a9cfc378ebdbe77fc1548cb81c791e6914e

    • SHA512

      e2efb8ba96b4c11b6167f085d5545e7e4971850e3c57f76957b8a0b0e1896537d935d123de93c1ebfd3efab34139e9bf902911ba54f20ddffad21edeeb16b021

    • SSDEEP

      3072:TXHtlYzFn8xKlZqwe64MpN9Q2cLNt0hcjhK7ZmVG/:rUB8gQMpvQ2Er0aG/

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks