Overview

overview

10

Static

static

1

borded.bat

windows7-x64

8

borded.bat

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    borded.bat

  • Size

    292KB

  • Sample

    241013-v2fatsydmb

  • MD5

    758e9341b9f8217cdb5b0085321d65f7

  • SHA1

    704a2713704861618c153ccbb19847dcb0cdc5ce

  • SHA256

    6f6d8b52f73e7de40ca70f74c1694ee57d9ff8b232ac00982c25f05db8dea39a

  • SHA512

    bca661e49102b89a9c4de60db129472c87346a3bebf831fa847bfefa68896bbe07555c29b2573fa2bee378cd769015d56e1044cb5749d9baedd4f4398f6702a1

  • SSDEEP

    6144:qZztTwoXBISDEO5PvFvC0oFQFTUQKtUlDKtlxRO8Ld8ecYS:qZzt7hDHZtq0oFcUQkzxRO8p0D

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:60447

Attributes
  • Install_directory

    %AppData%

  • install_file

    System User.exe

Targets

    • Target

      borded.bat

    • Size

      292KB

    • MD5

      758e9341b9f8217cdb5b0085321d65f7

    • SHA1

      704a2713704861618c153ccbb19847dcb0cdc5ce

    • SHA256

      6f6d8b52f73e7de40ca70f74c1694ee57d9ff8b232ac00982c25f05db8dea39a

    • SHA512

      bca661e49102b89a9c4de60db129472c87346a3bebf831fa847bfefa68896bbe07555c29b2573fa2bee378cd769015d56e1044cb5749d9baedd4f4398f6702a1

    • SSDEEP

      6144:qZztTwoXBISDEO5PvFvC0oFQFTUQKtUlDKtlxRO8Ld8ecYS:qZzt7hDHZtq0oFcUQkzxRO8p0D

    Score
    10/10
    executionxwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks