Overview

overview

10

Static

static

1

XClient (1).bat

windows7-x64

8

XClient (1).bat

windows10-2004-x64

10

Resubmissions

07-11-2024 23:56

241107-3zdm8a1aml 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    XClient (1).bat

  • Size

    72KB

  • Sample

    241107-3zdm8a1aml

  • MD5

    73585d18685e06c4f21302c275ca6682

  • SHA1

    dd0bae964a108a1c923a1f9b99e72f82064786dd

  • SHA256

    b953aae6b09f2002ca056f6cef521960a91711152d5ebd5cf0055d9a491a5554

  • SHA512

    00b2276e24b96b9b8c0629a1913f8a1c0ee7ab12e2fa4ce8f9b54fabeb02b0383eb183b1d45f16e86175108a9c7990f40a4671e29a2dde8400dbb60d3974b08a

  • SSDEEP

    1536:PhOHtmQQ2yEPUWKzKbYd1P/OCWA7Vm6H/j5z5y3Wdjyh:YvTMKY1OCF0xWV+

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758
Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Targets

    • Target

      XClient (1).bat

    • Size

      72KB

    • MD5

      73585d18685e06c4f21302c275ca6682

    • SHA1

      dd0bae964a108a1c923a1f9b99e72f82064786dd

    • SHA256

      b953aae6b09f2002ca056f6cef521960a91711152d5ebd5cf0055d9a491a5554

    • SHA512

      00b2276e24b96b9b8c0629a1913f8a1c0ee7ab12e2fa4ce8f9b54fabeb02b0383eb183b1d45f16e86175108a9c7990f40a4671e29a2dde8400dbb60d3974b08a

    • SSDEEP

      1536:PhOHtmQQ2yEPUWKzKbYd1P/OCWA7Vm6H/j5z5y3Wdjyh:YvTMKY1OCF0xWV+

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks