Overview

overview

10

Static

static

1

chigga.bat

windows7-x64

8

chigga.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    chigga.bat

  • Size

    290KB

  • Sample

    241013-evwq8ssgpq

  • MD5

    28ecf9cd33dca58f09d8bd2a337263ff

  • SHA1

    c275ac7e42cb7561dbe3ed884a7124bcee731b43

  • SHA256

    e41e6d8e5d22c30f0a1937b45ed379949b77947f75c06ca9042a027f895b377a

  • SHA512

    bc6f2bb93a21eee244b3c81165214748992ac92d36d9531d7cb72b7c65b1213ecf8d192c8bca734b7f6b26e83b7dad3f34fd9a6aee039f2001c5d64b48656307

  • SSDEEP

    6144:uPjVXHhP7ZNLiRxgRxHMWRJ7GwYMLma8v6JW/jPufiHR6yjSEzA6:ubPL6+HZSwYem3vY0jPufGSqA6

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:19713

Attributes
  • Install_directory

    %AppData%

  • install_file

    SystemUser.exe

Targets

    • Target

      chigga.bat

    • Size

      290KB

    • MD5

      28ecf9cd33dca58f09d8bd2a337263ff

    • SHA1

      c275ac7e42cb7561dbe3ed884a7124bcee731b43

    • SHA256

      e41e6d8e5d22c30f0a1937b45ed379949b77947f75c06ca9042a027f895b377a

    • SHA512

      bc6f2bb93a21eee244b3c81165214748992ac92d36d9531d7cb72b7c65b1213ecf8d192c8bca734b7f6b26e83b7dad3f34fd9a6aee039f2001c5d64b48656307

    • SSDEEP

      6144:uPjVXHhP7ZNLiRxgRxHMWRJ7GwYMLma8v6JW/jPufiHR6yjSEzA6:ubPL6+HZSwYem3vY0jPufGSqA6

    Score
    10/10
    executionxwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks