xworm

General

Target

e7a30ecc660327ba66d756854c903b66.zip
Size

6KB
Sample

241108-apf2dazpgt
MD5

e7a30ecc660327ba66d756854c903b66
SHA1

cf197be80cf459d4ed48a88bb2e963f54c050094
SHA256

e743565620baacf71eba059fe7a85aaa42ff29fa453941e5d361023833ca71d7
SHA512

4256d3498e51468111395b77c372fae8bff9db68726ca09a3a16a100989f14469524d4e4ef3d938a904a20a2cc69c455147bcbc58bfe93aa8e51d94cdb2de937
SSDEEP

192:dx+vt9ysja/nTKnZ7R9Xpg1rpk9KzNg41F8utGxQj:d69yvSZgp+0D8Q

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

exe.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

Targets

- Target
  
  CONSIGNACIÓN INTERBANCARIA NO 89765987587698097654376589.bat
- Size
  
  210KB
- MD5
  
  24e3c5a8c5ce37efb76a08a124a2f525
- SHA1
  
  1378fa68873d9ce2368aac281632ff5dab2f59d0
- SHA256
  
  233bca3f0a5f3dbc98d3765ecc8631fd552366a78f052cc13c970b94a107e459
- SHA512
  
  e9ae4a7948cefe01143e5646220f9b6d1c78b34db0ec4f2220d74daf8add209d5b55f76eb2fcf2b3d995cdeee957aebb3e0f9f736cced0ddba8ba249d18bcc62
- SSDEEP
  
  6144:vZuSzJTZolPPaVOZwrXQJ5RV5RFVVjRbVbJlv8:B
Score

10^/10

execution xworm rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Drops startup file
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect Xworm Payload

Xworm family

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Drops startup file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2