Overview

overview

10

Static

static

1

Recording ...01.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Recording 2024-09-01.bat

  • Size

    10.5MB

  • Sample

    240902-s8ypmstdqq

  • MD5

    ea1315beaae801fd48de7f359a6f9411

  • SHA1

    a565aee47aa42bd87dafea38d6090447df6d822c

  • SHA256

    0c55bb4d572eb35093da11086643bcf6c04a1b7653de40e5e289df61b96f0c16

  • SHA512

    1616cad5cff6a75306db6479f98df4bf78084c0596983a9e46cedffed447ab0028a839604d3dd931603e535e455b52688a942e98582ba1751d1d13611ffbe00f

  • SSDEEP

    49152:RCRYnt0My3KYMfNIBZ9pCm4+DwXGPOXFTqKZp239XT48jmRjrd7dU52F65QV9Qp2:9

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

manufacturer-rank.gl.at.ply.gg:60383

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      Recording 2024-09-01.bat

    • Size

      10.5MB

    • MD5

      ea1315beaae801fd48de7f359a6f9411

    • SHA1

      a565aee47aa42bd87dafea38d6090447df6d822c

    • SHA256

      0c55bb4d572eb35093da11086643bcf6c04a1b7653de40e5e289df61b96f0c16

    • SHA512

      1616cad5cff6a75306db6479f98df4bf78084c0596983a9e46cedffed447ab0028a839604d3dd931603e535e455b52688a942e98582ba1751d1d13611ffbe00f

    • SSDEEP

      49152:RCRYnt0My3KYMfNIBZ9pCm4+DwXGPOXFTqKZp239XT48jmRjrd7dU52F65QV9Qp2:9

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks