xworm | 152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5 | Triage

Sharing

General

Target

zap.cmd
Size

65KB
Sample

240523-tx163ahb79
MD5

85c9311ae0014ac8bb98089d0bd51bdc
SHA1

5140e9beda6014b02df3c09f84a284f9c25532ca
SHA256

152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
SHA512

f202a1e07afb444e5264cd28f7c0eedd55a3d002d14f989bf9fb065fd451be1df6197b5dcb61c616e8dbd1d3ba43cdc058192c89858c8bc292c199d5e8e9fb54
SSDEEP

768:std2pH1E6G5dMQzfwXLyVM0rAQiB/tp6UTGKxHHVpMGgJxhvtsQekLpzmWnfCB3Q:fpH1E6YrfDSF+UaaLtE1sQeAJ2Zlg9

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

hjxwrm5.duckdns.org:8896

Mutex

MSmkrgH8xVI2Dczk

Attributes

install_file
USB.exe

aes.plain

Targets

- Target
  
  zap.cmd
- Size
  
  65KB
- MD5
  
  85c9311ae0014ac8bb98089d0bd51bdc
- SHA1
  
  5140e9beda6014b02df3c09f84a284f9c25532ca
- SHA256
  
  152cbca849779c40fe6673458a9e25e4be0b080f7cb4db8cfee5a88cec74b1e5
- SHA512
  
  f202a1e07afb444e5264cd28f7c0eedd55a3d002d14f989bf9fb065fd451be1df6197b5dcb61c616e8dbd1d3ba43cdc058192c89858c8bc292c199d5e8e9fb54
- SSDEEP
  
  768:std2pH1E6G5dMQzfwXLyVM0rAQiB/tp6UTGKxHHVpMGgJxhvtsQekLpzmWnfCB3Q:fpH1E6YrfDSF+UaaLtE1sQeAJ2Zlg9
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xwormexecutionrattrojan