xworm | bad67dd9454a5d74dd958eda8ac49c6682d798d3182aeeb1ee198ce3e66f5109 | Triage

Sharing

General

Target

rootkited.bat
Size

440KB
Sample

241107-x5k2laxjdv
MD5

e484f05f1d6bb25017695938f8f9d1dc
SHA1

31b317dbf41bea5ef0e1338ba1dfedb019c4a606
SHA256

bad67dd9454a5d74dd958eda8ac49c6682d798d3182aeeb1ee198ce3e66f5109
SHA512

27375f90ca85c1a1393a1bfa243abdce413bca3a4cfde9ef80a890c93ed0b16f79ce1111671ba2a6fb6f12e5c1dfe6f0c026bc1ced01c24f7a106eaaaecd6984
SSDEEP

12288:Vq1Mvj0LPw0oYCy1Jx5oZamp0RHHwJOtx:VljsI0dC68Za80BQEx

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/54jZmcfW
telegram
https://api.telegram.org/bot7470467235:AAH5xKlgIYdawUGRmIROyBj64e_oY5ROaic/sendMessage?chat_id=1330099235

Targets

- Target
  
  rootkited.bat
- Size
  
  440KB
- MD5
  
  e484f05f1d6bb25017695938f8f9d1dc
- SHA1
  
  31b317dbf41bea5ef0e1338ba1dfedb019c4a606
- SHA256
  
  bad67dd9454a5d74dd958eda8ac49c6682d798d3182aeeb1ee198ce3e66f5109
- SHA512
  
  27375f90ca85c1a1393a1bfa243abdce413bca3a4cfde9ef80a890c93ed0b16f79ce1111671ba2a6fb6f12e5c1dfe6f0c026bc1ced01c24f7a106eaaaecd6984
- SSDEEP
  
  12288:Vq1Mvj0LPw0oYCy1Jx5oZamp0RHHwJOtx:VljsI0dC68Za80BQEx
Score

10^/10

xworm defense_evasion discovery execution rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

Clear Windows Event Logs

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xwormdefense_evasiondiscoveryexecutionrattrojan