Overview

overview

10

Static

static

1

zap.cmd

windows7-x64

10

zap.cmd

windows10-1703-x64

10

zap.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zap.cmd

  • Size

    6KB

  • Sample

    240523-wpghssbc79

  • MD5

    e60c8b85dbb0822e8d7783bfbcf1373e

  • SHA1

    b82628d1e5f5990cce0fc1759db1d66d272970de

  • SHA256

    74dded6a9d78cb7d3b4f1a0141abe5c25c552583a6a1a1a2c37d3e263f611ab6

  • SHA512

    f4cd5242390b101450cd77d50c661332e042a5a49512d0421aa1aa245ed44820c4759f8db18b9643f4f29ae7ad853451b8b8bac9c76abaca85abbd4e64bd0229

  • SSDEEP

    96:3CAmMQCWs85AG8Cdzn7mhmFDSKG1obatde4MlXMQpQAqvbfq0ifcZvc+dmu29g:3CANQC5iARCdQwg122NMzQq0iUNNdmuh

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      zap.cmd

    • Size

      6KB

    • MD5

      e60c8b85dbb0822e8d7783bfbcf1373e

    • SHA1

      b82628d1e5f5990cce0fc1759db1d66d272970de

    • SHA256

      74dded6a9d78cb7d3b4f1a0141abe5c25c552583a6a1a1a2c37d3e263f611ab6

    • SHA512

      f4cd5242390b101450cd77d50c661332e042a5a49512d0421aa1aa245ed44820c4759f8db18b9643f4f29ae7ad853451b8b8bac9c76abaca85abbd4e64bd0229

    • SSDEEP

      96:3CAmMQCWs85AG8Cdzn7mhmFDSKG1obatde4MlXMQpQAqvbfq0ifcZvc+dmu29g:3CANQC5iARCdQwg122NMzQq0iUNNdmuh

    Score
    10/10
    xwormexecutionrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks