Overview

overview

10

Static

static

1

xff.cmd

windows7-x64

8

xff.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xff.cmd

  • Size

    64KB

  • Sample

    240523-t68bqshe72

  • MD5

    fa0ef860ffb4c4c8785edbf41a09ed46

  • SHA1

    58e4dddc140fd43397ec9ac7a837ffd119438b3f

  • SHA256

    d03cdb6f745777a9b759cc7b348bfa131ff9228abfa7b468427025331c6cbeb6

  • SHA512

    ad3acaca45746495ff2158d0736aab9b642a1c75ba8b40ea6250b78cd59fc081145278793d4a9874aada2bc37cc11d233151660219a5b5de3c5b64d08fe40bdc

  • SSDEEP

    1536:f/X/G7+gF7PV7f4ENwLaDu83y9vt93hSqAf+3DUwL:f/X/lgFl4ENwLb83y9vtVjYwL

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

nmds.duckdns.org:8895

Mutex

O3B5rRVaa3oX74CD

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      xff.cmd

    • Size

      64KB

    • MD5

      fa0ef860ffb4c4c8785edbf41a09ed46

    • SHA1

      58e4dddc140fd43397ec9ac7a837ffd119438b3f

    • SHA256

      d03cdb6f745777a9b759cc7b348bfa131ff9228abfa7b468427025331c6cbeb6

    • SHA512

      ad3acaca45746495ff2158d0736aab9b642a1c75ba8b40ea6250b78cd59fc081145278793d4a9874aada2bc37cc11d233151660219a5b5de3c5b64d08fe40bdc

    • SSDEEP

      1536:f/X/G7+gF7PV7f4ENwLaDu83y9vt93hSqAf+3DUwL:f/X/lgFl4ENwLb83y9vtVjYwL

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks