Overview

overview

10

Static

static

1

stub.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    stub.bat

  • Size

    296KB

  • Sample

    240710-zx92vssdpe

  • MD5

    907e9fc6911129b0a47c7d86d7f7f9d8

  • SHA1

    685dfd20c4e49dbb6f6aad11b58c97ab0162e8bc

  • SHA256

    c149c689139cacc133cf0718188cbedc9fe0be449297a71f1c5a18255bdfac2a

  • SHA512

    07a1239ded8379d48dee4cfef74e9496c090ecc4b8efae0bb26fafbebc58736be0e69f7b9ded184da058e282f0f8a0c69060c60ae8ab870cc1d68aee328713ee

  • SSDEEP

    6144:PlnR5B5sUMI+nNsj1dh6X+eRMiTF+VFESpcob6SgTMzpbm6j9o88Upt/R8N0ns7:9R5zsUMDsjx4dF6cSQ4BOUD/RE7

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:48802

those-situation.gl.at.ply.gg:48802
Attributes
  • Install_directory

    %AppData%

  • install_file

    x4host.exe

Targets

    • Target

      stub.bat

    • Size

      296KB

    • MD5

      907e9fc6911129b0a47c7d86d7f7f9d8

    • SHA1

      685dfd20c4e49dbb6f6aad11b58c97ab0162e8bc

    • SHA256

      c149c689139cacc133cf0718188cbedc9fe0be449297a71f1c5a18255bdfac2a

    • SHA512

      07a1239ded8379d48dee4cfef74e9496c090ecc4b8efae0bb26fafbebc58736be0e69f7b9ded184da058e282f0f8a0c69060c60ae8ab870cc1d68aee328713ee

    • SSDEEP

      6144:PlnR5B5sUMI+nNsj1dh6X+eRMiTF+VFESpcob6SgTMzpbm6j9o88Upt/R8N0ns7:9R5zsUMDsjx4dF6cSQ4BOUD/RE7

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks