Overview

overview

10

Static

static

1

las.cmd

windows7-x64

10

las.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    las.cmd

  • Size

    6KB

  • Sample

    240523-t76jjahe88

  • MD5

    3a4042eca22b5630f0d94807b7ebf1ab

  • SHA1

    274dec7f1a11302050f24f06f19bc357eee9959e

  • SHA256

    bde622fc1ddebc014f70ce6da713d999d723ec473bf5497a669fd8fbea287e94

  • SHA512

    b7d0653e191f2c56acf22915cfd199ac79d94129d56926d8f99aaa5f834d08196a56998d586ab034b9bd44bc8e759e133da08d0ee853f3c54fee9336913df59c

  • SSDEEP

    96:akLd2YhwXGsvb/IncRIVZjAcmwkpi9Jyg8XiD7528pekM6w2He3JzFBmWsc9nODy:aBYe/b/IcmZjKw5rT5FAx8evcWsc94y

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      las.cmd

    • Size

      6KB

    • MD5

      3a4042eca22b5630f0d94807b7ebf1ab

    • SHA1

      274dec7f1a11302050f24f06f19bc357eee9959e

    • SHA256

      bde622fc1ddebc014f70ce6da713d999d723ec473bf5497a669fd8fbea287e94

    • SHA512

      b7d0653e191f2c56acf22915cfd199ac79d94129d56926d8f99aaa5f834d08196a56998d586ab034b9bd44bc8e759e133da08d0ee853f3c54fee9336913df59c

    • SSDEEP

      96:akLd2YhwXGsvb/IncRIVZjAcmwkpi9Jyg8XiD7528pekM6w2He3JzFBmWsc9nODy:aBYe/b/IcmZjKw5rT5FAx8evcWsc94y

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks