General
-
Target
nigger.bat
-
Size
287KB
-
Sample
241014-efpz5sxhja
-
MD5
4fc6685520f63bbcb980825b8932bed2
-
SHA1
c9646d310235c1c24462d7d8ca841ffc3b49e32a
-
SHA256
caefacb8551340d5621c4b8bef9b4501e4c56415c09a7021f239c5be3c613405
-
SHA512
1b9bcbaa5cfe932fb4099f7c52e85abbb47ad082cee24f8d941cef7b5d9f3b6000681d0b1ee5c09818366ac1755aafd3dff52fb43b122f815be7ac1574099776
-
SSDEEP
6144:d8+MXtItrKJNvJLK3xSbI9K/bERmxXDSvaLfEJlkkLzllrvW96BStDJE:dvMtItmPJL8xSs9K/gRmxTffCfllrvEI
Malware Config
Extracted
xworm
147.185.221.23:19686
-
Install_directory
%AppData%
-
install_file
USB.exe
Targets
-
-
Target
nigger.bat
-
Size
287KB
-
MD5
4fc6685520f63bbcb980825b8932bed2
-
SHA1
c9646d310235c1c24462d7d8ca841ffc3b49e32a
-
SHA256
caefacb8551340d5621c4b8bef9b4501e4c56415c09a7021f239c5be3c613405
-
SHA512
1b9bcbaa5cfe932fb4099f7c52e85abbb47ad082cee24f8d941cef7b5d9f3b6000681d0b1ee5c09818366ac1755aafd3dff52fb43b122f815be7ac1574099776
-
SSDEEP
6144:d8+MXtItrKJNvJLK3xSbI9K/bERmxXDSvaLfEJlkkLzllrvW96BStDJE:dvMtItmPJL8xSs9K/gRmxTffCfllrvEI
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1