xworm | 582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651 | Triage

Sharing

General

Target

time.cmd
Size

82KB
Sample

240523-tt757sgh3s
MD5

8b962a01cb7b585d3308701068180e39
SHA1

56528670260aa0d4b60fbffdc7566a3654112f8d
SHA256

582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651
SHA512

56b5012d96decb4fabef930becdc35593fbc34fcc0bfde36316a07586a2ad9d605b989db87f22ba5c0757aa78417ac7c79afee29a4cd0719aac8306a2ada56e7
SSDEEP

1536:orogwg5pVXbSClWeINO/7lP3zsY8rTVRIJ9KPhv74+bha95O:7SpgeIo/7lP3OWahc+bha95O

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  time.cmd
- Size
  
  82KB
- MD5
  
  8b962a01cb7b585d3308701068180e39
- SHA1
  
  56528670260aa0d4b60fbffdc7566a3654112f8d
- SHA256
  
  582241fc0a328832d3ae8c80fd1025b7ca5fc16dd89739a6131b87e77c855651
- SHA512
  
  56b5012d96decb4fabef930becdc35593fbc34fcc0bfde36316a07586a2ad9d605b989db87f22ba5c0757aa78417ac7c79afee29a4cd0719aac8306a2ada56e7
- SSDEEP
  
  1536:orogwg5pVXbSClWeINO/7lP3zsY8rTVRIJ9KPhv74+bha95O:7SpgeIo/7lP3OWahc+bha95O
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan