xworm | a0746dbb2708b10f8afa1b8bc37edcccb0657296045f6d689f852283cda5e483 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

System Client.bat
Size

296KB
Sample

241009-ph62jsyeld
MD5

45f2ae1bc0bcfdad8f81224ad61da091
SHA1

3c91192b3e8b04a05645b5e4dab2020077bf28d6
SHA256

a0746dbb2708b10f8afa1b8bc37edcccb0657296045f6d689f852283cda5e483
SHA512

de53a4c9a787abbe9c2472e68321e57a67ffd7aea9c760c2dd0d967783cab9f696f0cb3b85b5197cb9538b8a42d1d516549b3e8f6ac391c23fe0903886fe221a
SSDEEP

6144:ZXrcj9NAl3LRyC/3vV7MfC2JYt4eyPEETBhVMhKS+C7+tbN/Y:ZbM9i9L/6Cs3eyPEiBhV8KC7ER/Y

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.18:28515

Attributes

Install_directory
%AppData%
install_file
System User.exe

Targets

- Target
  
  System Client.bat
- Size
  
  296KB
- MD5
  
  45f2ae1bc0bcfdad8f81224ad61da091
- SHA1
  
  3c91192b3e8b04a05645b5e4dab2020077bf28d6
- SHA256
  
  a0746dbb2708b10f8afa1b8bc37edcccb0657296045f6d689f852283cda5e483
- SHA512
  
  de53a4c9a787abbe9c2472e68321e57a67ffd7aea9c760c2dd0d967783cab9f696f0cb3b85b5197cb9538b8a42d1d516549b3e8f6ac391c23fe0903886fe221a
- SSDEEP
  
  6144:ZXrcj9NAl3LRyC/3vV7MfC2JYt4eyPEETBhVMhKS+C7+tbN/Y:ZbM9i9L/6Cs3eyPEiBhV8KC7ER/Y
Score

10^/10

xworm execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xwormexecutionrattrojan