General

  • Target

    2501e83f738b12ed186682b7b962ab755d25a3e3de0202071f2d596ab043cdcd.bat

  • Size

    193B

  • Sample

    240813-bg9jdswcre

  • MD5

    15bf9d410962834084b7fe0effc0223b

  • SHA1

    cc8e4bb64f49838a1af2e1a4c42f737ed4e09d7c

  • SHA256

    2501e83f738b12ed186682b7b962ab755d25a3e3de0202071f2d596ab043cdcd

  • SHA512

    73d41a60f5bca35bfcb2577b179b1e84c9b0be6834a0a784d9a6096f01230069313063a63fb48e3fe3cfae35fd008b717ef720f6d4589c93a202025b8b6232c8

Malware Config

Extracted

Family

xworm

Version

5.0

C2

198.244.206.37:7000

Mutex

qeAHLfR3nbg5ttUt

Attributes
  • install_file

    USB.exe

aes.plain

Targets

    • Target

      2501e83f738b12ed186682b7b962ab755d25a3e3de0202071f2d596ab043cdcd.bat

    • Size

      193B

    • MD5

      15bf9d410962834084b7fe0effc0223b

    • SHA1

      cc8e4bb64f49838a1af2e1a4c42f737ed4e09d7c

    • SHA256

      2501e83f738b12ed186682b7b962ab755d25a3e3de0202071f2d596ab043cdcd

    • SHA512

      73d41a60f5bca35bfcb2577b179b1e84c9b0be6834a0a784d9a6096f01230069313063a63fb48e3fe3cfae35fd008b717ef720f6d4589c93a202025b8b6232c8

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Download via BitsAdmin

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks