xworm | 1bc72757a82f2f9c7bdf9a5d19de6f28c53ba3b4f8eba8dcb5f4590e7affae39 | Triage

Submit
Reports

Overview

overview

Static

static

1

basbasbas.bat

windows7-x64

8

basbasbas.bat

windows10-1703-x64

basbasbas.bat

windows10-2004-x64

basbasbas.bat

windows11-21h2-x64

Sharing

General

Target

basbasbas.bat
Size

1KB
Sample

240516-mn1evage2t
MD5

ddd451685225b980bb2e0789090d3ff5
SHA1

cafbfce346a90aef87782e8ff87a626e5ffa6b05
SHA256

1bc72757a82f2f9c7bdf9a5d19de6f28c53ba3b4f8eba8dcb5f4590e7affae39
SHA512

78e4e8724522abe7170f2e26143fc72cd632eb23b8ba6499558ab1c37e430a53d4f37aeec9f93b6fb465c84e5a476057178ceb6f7f3c728c5c4c21dced02f0da

Score

10^/10

xworm execution rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

basbasbas.bat

Resource

win7-20240221-en

windows7-x64

11 signatures

300 seconds

Behavioral task

behavioral2

Sample

basbasbas.bat

Resource

win10-20240404-en

xworm execution rat trojan

windows10-1703-x64

18 signatures

300 seconds

Behavioral task

behavioral3

Sample

basbasbas.bat

Resource

win10v2004-20240508-en

xworm execution rat trojan

windows10-2004-x64

17 signatures

300 seconds

Behavioral task

behavioral4

Sample

basbasbas.bat

Resource

win11-20240508-en

xworm execution rat trojan

windows11-21h2-x64

17 signatures

300 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

freshinxworm.ddns.net:7000

Mutex

gqDWp48TjRIAdwF2

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  basbasbas.bat
- Size
  
  1KB
- MD5
  
  ddd451685225b980bb2e0789090d3ff5
- SHA1
  
  cafbfce346a90aef87782e8ff87a626e5ffa6b05
- SHA256
  
  1bc72757a82f2f9c7bdf9a5d19de6f28c53ba3b4f8eba8dcb5f4590e7affae39
- SHA512
  
  78e4e8724522abe7170f2e26143fc72cd632eb23b8ba6499558ab1c37e430a53d4f37aeec9f93b6fb465c84e5a476057178ceb6f7f3c728c5c4c21dced02f0da
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Program crash
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan

behavioral3

xwormexecutionrattrojan

behavioral4

xwormexecutionrattrojan

© 2018-2025

Terms | Privacy